This article is more than 1 year old
Slippery Windows Updates' SOAP bubbles up SYSTEM priveleges
Vexed hackers find win in PsExec, man-in-the-middle
Blackhat 2015: Microsoft has bungled Windows Server Update Services (WSUS), according to hackers Paul Stone and Alex Chapman, with insecure defaults that let them hijack OS updates.
Attackers that have previously gained admin privilege on a target system can elevate themselves to system-level access by skipping the normal signed update process.
The "exciting look at one of the dullest corners of the Windows OS" was presented at Black Hat Las Vegas this week in the paper WSUSpect: Compromising the Windows Enterprise via Windows Update [PDF].
"This (WSUS) weakness allows a malicious local network-based attacker or low privileged user to fully compromise target systems that use WSUS to perform updates," Context Information Security's Stone and Chapman say in the paper.
"During the update process, signed and verified update packages are downloaded and installed to the system. By repurposing existing Microsoft-signed binaries, we were able demonstrate that an attacker can inject malicious updates in order to execute arbitrary commands."
The pair says WSUS installations are safe if system administrators follow Microsoft hardening guidelines including using SSL.
Stone and Chapman say local attackers can gain better access by modifying the metadata for Microsoft-signed update files or create fake updates for victims to install.
Those fake updates and arbitrary arguments can be executed by using the CommandLineInstallation update handler, and using the PsExec utility.
Man-in-the-middle attackers residing somewhere on the network can pull off the stunt by using ARP spoofing or WPAD injection to mess with SOAP requests made between WSUS and client. That attack relies on sys admins not applying SSL to the update process.
If the target enterprise is using Sophos anti-virus which flags PsExec as a hack tool, attackers should try BgInfo and host the configuration file on an unauthenticated Windows share.
Additional work as part of the research found that third party drivers installed through Microsoft but developed and signed by other developers "greatly increased" user attack surfaces.
By emulating various USB devices the pair finds 83 percent of drivers downloaded through the Windows update process are from third parties, of which half installed.
Those 1150 drivers included installations of 533 new kernel drivers, 58 system-level boot programs, and 12 high-level services.
"The huge amount of 3rd party drivers, services and applications which can be installed through Windows Update may introduce significant security weaknesses to a target system," they say.
The WSUS when hardened nixes this risk.
Admins should read the foot of the paper for hardening tips. ®