
This was one of the most interesting attacks showed on Black Hat Las Vegas 2015. Let’s imagine the situation: there’s a large park of Windows computers in a large organization, and they all need to be updated. Obviously, getting all of them to download updates over the Internet is both pricy and uncomfortable. The common solution is a WSUS (Windows Server Update Services) server, which is used to manage updates. It downloads the updates and delivers them to all other computers.
This is a typical task and the solution is standard, so WSUS is widely adopted. This also makes it an attractive target for attacks. The Contextis company examined the principles of its work and developed an attack, which is both very powerful (you can get RCE with System privileges) and easy to reproduce. The white paper is voluminous, so we’ll concentrate on the main points.
So the company has a WSUS server, and the end hosts are configured through group policies to address this particular server for the updates. They use SOAP protocol, which by default works over HTTP. This is one of the most important factors for us. The standard port is 8530.
You can find a path to the end host in this registry node.
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer
Here’s how the interaction between different hosts works. First of all the end host registers itself on the server and gets a cookie in reply, which is used later to access the server. After that the host routinely (usually once in 24 hours) requests if there’s an update. WSUS responds with a list of updates and paths, which can be used to download an update (also on WSUS). In case of an automated update the host downloads and installs the data found in the update (from SYSTEM, of course). There’s a similar process for installing drivers. In fact this process (and also the protocol) is identical to updating through Windows Update.
Only those updates can be installed that are signed with a valid Microsoft certificate. It is the primary component of the defence.
Several types of updates were found during the research. The most interesting for us is CommandLineInstallation (it’s a handler from the query). It uploads an executable file to the OS and runs it with particular parameters (for example this is used to run Microsoft’s antivirus).
So we have some hosts and a WSUS server. They communicate over an unprotected HTTP, so we can execute a MitM attack to change the data in the SOAP requests and the responses (SOAP requests themselves are not signed). The client has no means to check if the updates are real, we can install whatever we want during the attack. Using CommandLineInstallation we can execute any commands with any parameters in the OS.
Of course the executable file must be signed with a Microsoft certificate, but there’s no special Windows Update certificate. We can use any of them. Contextis suggests Mark Russinovich’s Sysinternals Tools as an excellent option. Since these tools were officially adopted by Microsoft they have a valid signature. With PsExec we can execute any commands and run any software (Meterpreter for example). We can also use BGinfo, since some third party antiviruses do not like PsExec.
As we can see, with default settings the system is extremely vulnerable. The main problem boils down to making the end host request updates from WSUS, so that we wouldn’t have to wait for 24 hours to execute an attack.

2023.01.22 — Top 5 Ways to Use a VPN for Enhanced Online Privacy and Security
This is an external third-party advertising publication. In this period when technology is at its highest level, the importance of privacy and security has grown like never…
Full article →
2022.06.01 — Log4HELL! Everything you must know about Log4Shell
Up until recently, just a few people (aside from specialists) were aware of the Log4j logging utility. However, a vulnerability found in this library attracted to it…
Full article →
2022.06.03 — Vulnerable Java. Hacking Java bytecode encryption
Java code is not as simple as it seems. At first glance, hacking a Java app looks like an easy task due to a large number of available…
Full article →
2022.06.01 — Routing nightmare. How to pentest OSPF and EIGRP dynamic routing protocols
The magic and charm of dynamic routing protocols can be deceptive: admins trust them implicitly and often forget to properly configure security systems embedded in these protocols. In this…
Full article →
2022.02.09 — Kernel exploitation for newbies: from compilation to privilege escalation
Theory is nothing without practice. Today, I will explain the nature of Linux kernel vulnerabilities and will shown how to exploit them. Get ready for an exciting journey:…
Full article →
2023.03.03 — Infiltration and exfiltration. Data transmission techniques used in pentesting
Imagine a situation: you managed to penetrate the network perimeter and gained access to a server. This server is part of the company's internal network, and, in theory, you could…
Full article →
2023.02.13 — Ethernet Abyss. Network pentesting at the data link layer
When you attack a network at the data link layer, you can 'leapfrog' over all protection mechanisms set at higher levels. This article will walk…
Full article →
2022.02.16 — Timeline of everything. Collecting system events with Plaso
As you are likely aware, forensic analysis tools quickly become obsolete, while hackers continuously invent new techniques enabling them to cover tracks! As…
Full article →
2022.02.15 — Reverse shell of 237 bytes. How to reduce the executable file using Linux hacks
Once I was asked: is it possible to write a reverse shell some 200 bytes in size? This shell should perform the following functions: change its name…
Full article →
2022.02.09 — F#ck da Antivirus! How to bypass antiviruses during pentest
Antiviruses are extremely useful tools - but not in situations when you need to remain unnoticed on an attacked network. Today, I will explain how…
Full article →