
This was one of the most interesting attacks showed on Black Hat Las Vegas 2015. Let’s imagine the situation: there’s a large park of Windows computers in a large organization, and they all need to be updated. Obviously, getting all of them to download updates over the Internet is both pricy and uncomfortable. The common solution is a WSUS (Windows Server Update Services) server, which is used to manage updates. It downloads the updates and delivers them to all other computers.
This is a typical task and the solution is standard, so WSUS is widely adopted. This also makes it an attractive target for attacks. The Contextis company examined the principles of its work and developed an attack, which is both very powerful (you can get RCE with System privileges) and easy to reproduce. The white paper is voluminous, so we’ll concentrate on the main points.
So the company has a WSUS server, and the end hosts are configured through group policies to address this particular server for the updates. They use SOAP protocol, which by default works over HTTP. This is one of the most important factors for us. The standard port is 8530.
You can find a path to the end host in this registry node.
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer
Here’s how the interaction between different hosts works. First of all the end host registers itself on the server and gets a cookie in reply, which is used later to access the server. After that the host routinely (usually once in 24 hours) requests if there’s an update. WSUS responds with a list of updates and paths, which can be used to download an update (also on WSUS). In case of an automated update the host downloads and installs the data found in the update (from SYSTEM, of course). There’s a similar process for installing drivers. In fact this process (and also the protocol) is identical to updating through Windows Update.
Only those updates can be installed that are signed with a valid Microsoft certificate. It is the primary component of the defence.
Several types of updates were found during the research. The most interesting for us is CommandLineInstallation (it’s a handler from the query). It uploads an executable file to the OS and runs it with particular parameters (for example this is used to run Microsoft’s antivirus).
So we have some hosts and a WSUS server. They communicate over an unprotected HTTP, so we can execute a MitM attack to change the data in the SOAP requests and the responses (SOAP requests themselves are not signed). The client has no means to check if the updates are real, we can install whatever we want during the attack. Using CommandLineInstallation we can execute any commands with any parameters in the OS.
Of course the executable file must be signed with a Microsoft certificate, but there’s no special Windows Update certificate. We can use any of them. Contextis suggests Mark Russinovich’s Sysinternals Tools as an excellent option. Since these tools were officially adopted by Microsoft they have a valid signature. With PsExec we can execute any commands and run any software (Meterpreter for example). We can also use BGinfo, since some third party antiviruses do not like PsExec.
As we can see, with default settings the system is extremely vulnerable. The main problem boils down to making the end host request updates from WSUS, so that we wouldn’t have to wait for 24 hours to execute an attack.

2022.01.12 — First contact. Attacks against contactless cards
Contactless payment cards are very convenient: you just tap the terminal with your card, and a few seconds later, your phone rings indicating that…
Full article →
2022.06.03 — Vulnerable Java. Hacking Java bytecode encryption
Java code is not as simple as it seems. At first glance, hacking a Java app looks like an easy task due to a large number of available…
Full article →
2023.07.07 — Evil Ethernet. BadUSB-ETH attack in detail
If you have a chance to plug a specially crafted device to a USB port of the target computer, you can completely intercept its traffic, collect cookies…
Full article →
2023.02.21 — Pivoting District: GRE Pivoting over network equipment
Too bad, security admins often don't pay due attention to network equipment, which enables malefactors to hack such devices and gain control over them. What…
Full article →
2022.01.01 — It's a trap! How to create honeypots for stupid bots
If you had ever administered a server, you definitely know that the password-based authentication must be disabled or restricted: either by a whitelist, or a VPN gateway, or in…
Full article →
2023.02.13 — Ethernet Abyss. Network pentesting at the data link layer
When you attack a network at the data link layer, you can 'leapfrog' over all protection mechanisms set at higher levels. This article will walk…
Full article →
2023.04.04 — Serpent pyramid. Run malware from the EDR blind spots!
In this article, I'll show how to modify a standalone Python interpreter so that you can load malicious dependencies directly into memory using the Pyramid…
Full article →
2022.06.02 — Climb the heap! Exploiting heap allocation problems
Some vulnerabilities originate from errors in the management of memory allocated on a heap. Exploitation of such weak spots is more complicated compared to 'regular' stack overflow; so,…
Full article →
2023.07.29 — Invisible device. Penetrating into a local network with an 'undetectable' hacker gadget
Unauthorized access to someone else's device can be gained not only through a USB port, but also via an Ethernet connection - after all, Ethernet sockets…
Full article →
2023.06.08 — Cold boot attack. Dumping RAM with a USB flash drive
Even if you take efforts to protect the safety of your data, don't attach sheets with passwords to the monitor, encrypt your hard drive, and always lock your…
Full article →