佚名MYHACK58:62201569440Windows Update+the middleman=a remote command execution-vulnerability warning-the black bar safety net
0x00 Windows Server Update Services
WSUS is Windows Server Update Services for short. Using this windows service,the administrator only needs to ensure the local area network of a host can be connected to the MicroSoftUpdate server, can be achieved within the network in the hosts quickly perform windows Update.
In short, within the network of the WSUS server is windows official update server proxy. The WSUS server via the Internet to obtain the official windows update, and cache locally. The administrator only needs to in wsus select which patches need to be updated, it can be through HTTP/HTTPS Protocol quickly the various ms-2 0 1 5-***|||*deployed to the network in the other server, so even if it is due to various reasons can not be exposed in the Internet to the internal network host, such as oracle database server through the WSUS time to download the patch, greatly increasing the network security, to achieve a fine-grained management. So many in a large network will deploy a wsus server to achieve network security reinforcement.
Since wsus is based on c/s mode, so the server and client we all need to be configured. the client machine is stored in the registry the wsus server address
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Update\W UServer
For example the stored content may be such http://wsus01:8530. Port 8 5 3 0 is wsus the deployment of the default port.
0x01 WSUS Protocol Analysis
wsus use SOAP XML to achieve the c/s communication, when the client host is first connected to the wsus-server, there will be one such registration process.
!
Once you have completed this registration process, the client host will be able to make the timing of the update check. (As long as the cookies do not expire)
!
Here we detail the analysis of each request
The SOAP Call request in response to
SyncUpdates (hardware-driven) the machine hardware list can be updated drivers list
SyncUpdates (software is already installed to update the id of the list the new list of available updates and metadata
GetExtendedUpdateInfo specifically, the update id corresponds to the id of the detailed metadata,including the download URL,hash…
You can see the wsus service is actually very good to understand:
A SyncUpdates to the wsus server can obtain updates of the id and the id corresponding to some interpretation of the data, the machine through which the interpretation of the data the decision to install which patch, and send GetExtendedUpdateInfo, to obtain detailed information for installation.
The following is a SyncUpdates response examples
Example of a wsus-server to cilent
UpdateIdentity UpdateID=“5 3 9 7 9 5 3 6-176e-46c2-9f61-bcf68381c065” RevisionNumber=“2 0 6” />
Properties UpdateType=“Software” />
Relationships>
Prerequisites>
UpdateIdentity UpdateID=“5 9 6 5 3 0 0 7-e2e9-4f71-8 5 2 5-2ff588527978” /> UpdateIdentity UpdateID=“71c1e8bb-9a5d-4e56-a456-10b0624c7188” /> Prerequisites>
Relationships>
ApplicabilityRules>
IsInstalled>
b. FileVersion Version=“6.1.7601.22045” Comparison=“GreaterThanOrEqualTo”
Path=“\conhost.exe” Csidl=“3 7” />
IsInstalled>
IsInstallable>
Not>
CbsPackageInstalledByIdentity
PackageIdentity=“InternetExplorer-Package~11.2.9600.16428” /> Not>
IsInstallable>
Then once the client has decided to install what updates it will then send a GetExtenedUpdateInfo to the wsus-server
Example of client to the wsus-server GetExtendedUpdateInfo request
soap:Envelope>soap:Body>
GetExtendedUpdateInfo>
cookie>is first connected to register the cookiescookie>
revisionIDs>
int>13160722int>
int>16753458int>
int>17212691int>
int>17212692int>
revisionIDs>
infoTypes>
XmlUpdateFragmentType>ExtendedXmlUpdateFragmentType> XmlUpdateFragmentType>LocalizedPropertiesXmlUpdateFragmenttype> XmlUpdateFragmentType>EulaXmlUpdateFragmentType> infoTypes> locales>