On the Shoulder of Giants: Reviving WSUS Attacks
In 2015, Paul Stone and Alex Chapman presented a novel attack at the BlackHat USA conference. Their talk covered their exploration of the usual enterprise deployment of the Windows Update infrastructure (WSUS) and culminated into the release of WSUSpect-proxy, a tool that allows attackers to inject malicious updates and compromise hosts during a Machine-in-the-Middle (MITM) attack.
Five years later, this tool has been poorly maintained and, even with this threat uncovered, we still see unencrypted WSUS servers in almost all our intrusion testing engagements. This highlights the fact that the threat is largely underestimated. First, its implementation encourages an HTTP-based deployment which is vulnerable by design. Furthermore, even organizations willing to harden WSUS will struggle to achieve a secure deployment since its technical resources and online documentation are lacking. In an effort to nail the coffin once and for all on HTTP-based WSUS, we wanted to dig deeper into the issue and performed CPR on the WSUSpect-proxy tool.
This presentation will cover our research into WSUS, our new twist on the WSUS attack vector, and our revival of the WSUSpect-proxy threat model. Our research resulted in the birth of four different tools covering three different attack scenarios. Scenarios include previously undocumented techniques, while others describe bounty-awarded yet-to-be-disclosed Microsoft 0-days. This talk will bring value to both intrusion testers and defenders by covering both sides of these scenarios, from exploitation to detection and mitigation.