How to use WSUS to get control over Windows

Date: 14/10/2015

This was one of the most interesting attacks showed on Black Hat Las Vegas 2015. Let’s imagine the situation: there’s a large park of Windows computers in a large organization, and they all need to be updated. Obviously, getting all of them to download updates over the Internet is both pricy and uncomfortable. The common solution is a WSUS (Windows Server Update Services) server, which is used to manage updates. It downloads the updates and delivers them to all other computers.


This is a typical task and the solution is standard, so WSUS is widely adopted. This also makes it an attractive target for attacks. The Contextis company examined the principles of its work and developed an attack, which is both very powerful (you can get RCE with System privileges) and easy to reproduce. The white paper is voluminous, so we’ll concentrate on the main points.

So the company has a WSUS server, and the end hosts are configured through group policies to address this particular server for the updates. They use SOAP protocol, which by default works over HTTP. This is one of the most important factors for us. The standard port is 8530.

You can find a path to the end host in this registry node.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer

Here’s how the interaction between different hosts works. First of all the end host registers itself on the server and gets a cookie in reply, which is used later to access the server. After that the host routinely (usually once in 24 hours) requests if there’s an update. WSUS responds with a list of updates and paths, which can be used to download an update (also on WSUS). In case of an automated update the host downloads and installs the data found in the update (from SYSTEM, of course). There’s a similar process for installing drivers. In fact this process (and also the protocol) is identical to updating through Windows Update.

Only those updates can be installed that are signed with a valid Microsoft certificate. It is the primary component of the defence.

Several types of updates were found during the research. The most interesting for us is CommandLineInstallation (it’s a handler from the query). It uploads an executable file to the OS and runs it with particular parameters (for example this is used to run Microsoft’s antivirus).

So we have some hosts and a WSUS server. They communicate over an unprotected HTTP, so we can execute a MitM attack to change the data in the SOAP requests and the responses (SOAP requests themselves are not signed). The client has no means to check if the updates are real, we can install whatever we want during the attack. Using CommandLineInstallation we can execute any commands with any parameters in the OS.

Of course the executable file must be signed with a Microsoft certificate, but there’s no special Windows Update certificate. We can use any of them. Contextis suggests Mark Russinovich’s Sysinternals Tools as an excellent option. Since these tools were officially adopted by Microsoft they have a valid signature. With PsExec we can execute any commands and run any software (Meterpreter for example). We can also use BGinfo, since some third party antiviruses do not like PsExec.

As we can see, with default settings the system is extremely vulnerable. The main problem boils down to making the end host request updates from WSUS, so that we wouldn’t have to wait for 24 hours to execute an attack.

BGinfo from Sysinternals Tools is signed by MS

BGinfo from Sysinternals Tools is signed by MS

Related posts:
2022.06.02 — Climb the heap! Exploiting heap allocation problems

Some vulnerabilities originate from errors in the management of memory allocated on a heap. Exploitation of such weak spots is more complicated compared to 'regular' stack overflow; so,…

Full article →
2022.01.01 — It's a trap! How to create honeypots for stupid bots

If you had ever administered a server, you definitely know that the password-based authentication must be disabled or restricted: either by a whitelist, or a VPN gateway, or in…

Full article →
2023.04.20 — Sad Guard. Identifying and exploiting vulnerability in AdGuard driver for Windows

Last year, I discovered a binary bug in the AdGuard driver. Its ID in the National Vulnerability Database is CVE-2022-45770. I was disassembling the ad blocker and found…

Full article →
2022.02.15 — Reverse shell of 237 bytes. How to reduce the executable file using Linux hacks

Once I was asked: is it possible to write a reverse shell some 200 bytes in size? This shell should perform the following functions: change its name…

Full article →
2023.03.26 — Poisonous spuds. Privilege escalation in AD with RemotePotato0

This article discusses different variations of the NTLM Relay cross-protocol attack delivered using the RemotePotato0 exploit. In addition, you will learn how to hide the signature of an…

Full article →
2022.04.04 — Elephants and their vulnerabilities. Most epic CVEs in PostgreSQL

Once a quarter, PostgreSQL publishes minor releases containing vulnerabilities. Sometimes, such bugs make it possible to make an unprivileged user a local king superuser. To fix them,…

Full article →
2023.03.03 — Infiltration and exfiltration. Data transmission techniques used in pentesting

Imagine a situation: you managed to penetrate the network perimeter and gained access to a server. This server is part of the company's internal network, and, in theory, you could…

Full article →
2022.06.03 — Vulnerable Java. Hacking Java bytecode encryption

Java code is not as simple as it seems. At first glance, hacking a Java app looks like an easy task due to a large number of available…

Full article →
2022.06.01 — F#ck AMSI! How to bypass Antimalware Scan Interface and infect Windows

Is the phrase "This script contains malicious content and has been blocked by your antivirus software" familiar to you? It's generated by Antimalware Scan Interface…

Full article →
2022.01.11 — Persistence cheatsheet. How to establish persistence on the target host and detect a compromise of your own system

Once you have got a shell on the target host, the first thing you have to do is make your presence in the system 'persistent'. In many real-life situations,…

Full article →