>>Good morning, everyone. Uh. We’re here to talk about the Windows Update Architecture um more specifically WSUS. But before that, let me just introduce ourselves, uh, briefly. Here’s Yves. Uh. He works for the French National Security Agency. He works for- as a security auditor for more than ten years now. And I’m Romain. Uh. I’m, well, the security auditor, but I’m more a, uh, developer in the small company dealing with IT directory, uh, security issues. Before talking about the, uh, WSUS itself, I- I’ll introduce you to a problem- a scenario that we encountered sometimes, uh, during our pentests. So that’s you, waiting to compromise a network- the network. And somehow you get- you get a foothold inside it- this network. It can be by ph-phishing or, uh, or compromising a JBoss server, or Tomcat, uh, or iCloud with default credential. As anyone says- or, sorry, as anyone knows, when you, uh, compromise, uh, this, uh, kind of server, it runs with system privileges because you have to. It doesn’t work otherwise. So you pill through the credentials on this server. You manage to do some lateral movements. And at some point, you just realize that everything you have, uh, you’re blocked. You can’t go, uh, more in- in the network. But by looking at the, uh, information- the data that you, uh, get on these servers, you realize that there’s another network- a disconnected one next to the one you’re trying to compromise. The problem here is that you do not have any more credentials to get more into the network. So you’re basically screwed. But when you look at the servers you’ve compromised, there’s a WSUS server. And the question we are going, uh, to talk about in this talk is that what if you can use this WSUS server to compromise its clients and, more specifically, the domain controllers that our clients through the WSUS server. And to answer this question, we need to to understand a little bit of, uh, WSUS architecture. So here you are, the WSUS server inside the enterprise network which is synchronizing its updates with Microsoft updates servers. And this synch-synchronization is done in two steps. The first step is to synchronize the metadata on an https secret channel. And the second one is to, uh, synchronize the binaries associated with this metadata on an https- on an https, sorry, channel this time. This can be a problem, but actually isn’t because of the signature that any binary needs to have. We’re talking about authenticate signature here. So no one can actually temper with the binary even if the, uh, channel is not secret by TLS. The- in the metadata you have anything, uh, relating to the updates themselves. Uh, including the, uh, MS - uh, Microsoft bil- billington number, uh, the description of the updates, uh, whatever the information. And the binaries can be anything from a PSF file, a cabinet file, or a, more interesting for us, executable file. The executable file is a particularity, uh, because they- it can take common line arguments and the common line arguments are providing into the metadata which are unsigned. We’ll see, uh, why this is important later. Then inside the enterprise network, you have WSUS clients- can be Work Station, can be servers, uh, from a filer to a domain controller- that regularly synchronizes with- their updates with the WSUS server. They do it by default on an http channel. Microsoft is very- pushing forward to administrators to enable TLS, but it’s not really often the case. The updates are obviously applied with full system privileges because if you need to replace a critical, uh, part of the- of your system or you need to add full system privileges to do that. In more complicated network, you have what Microsoft calls an upstream and downstream servers. Think of a worldwide company with, uh, an internet like this and, uh, one policy to manage updates. You can chain servers and the updates will follow the- the chain. And if you have even more complicated networks, with disconnected ones for example, all- Microsoft is providing a tool to export updates from a WSUS server to an external, uh, disconnected WSUS server. So that’s a quick overview of the WSUS architecture. We’re going to talk about now the start of the art- state of the art of the attack on WSUS. And it’s going to be pretty quick because there’s only one attack that has been presented at Black Hat, USA two years ago now. It’s called WSUSpect and the idea of the attack is to get a manage-managemental position between the WSUS clients and a WSUS server to intercept the answer of the server, inject a fake update into the metadata stream because its on http channel inside the enterprise network and the metadata on site and the clients then apply this new update with system privileges. And that’s how you get, uh, control of the WSUS clients. This really is a non semantic because it’s the first on the Microsoft update architecture, but it has some limitation. The first one is that you need to get a managemental position. Meaning that there’s no network limitation in place such as private VLAN for example. And the second limitation is that you need to get a useful one. So here I presented you a not-not TLS enabled network. But sometimes administrators do their job and secure these, uh, strings. In our case it, uh, it’s difficult to put in place inside the network, uh- the internet connected network- but definitely, uh, can be, uh, used in- for the disconnected one. So we developed our own tool which is called WSUSpendu and it’s freely available on GitHub. The idea of the tool is not to have a network, uh, limitations, but if you have compromised a WSUS server, you can inject metadata into the database, and, uh, use a sign binary- we’ll talk about that later- uh, inside this WSUS server. And when the clients will download this update, it’ll see a new update and it will download this, uh, the binary, uh, related to this, uh, update. The first thing, uh, clients, uh, does when it downloads a binary is to check if the binary is signed by Microsoft. So you have to have a signed binary which can execute arbitrary commands. So the mo- the two most known binaries are, uh, PSExec and BGinfo. They are- they were presented, uh, with WS Expect Attack. But actually you can find other binaries if you look at the applocker Bypass Projects, such as the one we’ve sort of uh-subtyped. So you- you can use for example MS Bills or Install U2 which are two of the binaries which are signed by Microsoft. And that take common line arguments that can execute arbitrary commands. So you have in the metadata, common line arguments, the binaries signed. That’s how you get the control of the WSUS clients. >>Ok. So we have some video to demonstrate what could be done with WSUSpendu. Ok. In the scenario, we have compromised a bunch of servers but we don’t have compromised the domain controllers. So we can use some servers to try to compromise the domain controllers. And among the controlled servers- among the which we have compromised- there are WSUS servers. So we try to inject an update, a management update, to control all the clients. Here we are on a WSUS client. We have absolutely no privilege and no- no account on these, eh, servers. And right now only the administrator account is present. The aim of the attack is to add a new user on this, uh- on this, uh, computer. So as we have compromised the WSUS servers, we copy the binary, the resource [indiscernible], and the payload- PsExec in this case. And the servers and we want to launch- we want to launch an injection so we launch the injection of the payload, PSExec in this case, and some argument, to add a user. So we launch a command to add a specific user with a specific password. And while the update will be installed with system privileges, we take advantage of this to add the user in the local group, uh, administral group. Last thing we have to precise- we can precise is the computer name of the attacked computer. By processing it, we can automatically approve the update for this computer. We can check in the MMC console and after we phishing, we can see everything is ok, the update is present, and is approved for one computer among the four declare in the WSUS server. Ok we go- we go back to the client. And we have to have the client check so see if a new update is available. We can proceed by clicking on “check for updates.” And if, uh, an update is present, the system download it and starting with system privileges and the update will be installed. That’s it. So we can check now the user lists. And we can see the new user is present. And the user is a member of the administrators local groups so [applause] Mission succeeded. Ok. We have compromised the connected network. We have, uh, compromised all the connected network, but we want to have a more- intrusion in this, uh, the network. We have seen that a new- another network is, uh, present. But this network is not connected to the current network nor to the internet. So we want to inject an, um, an update in the WSUS server present in the connected network. And we want to wait that administrator, uh, transfer the update to keep to the to the update to, um, to disconnected network. So as we have compromised again the WSUS server in the connected network, we can launch the script, we can copy the WSUS responder prepared from an injection, and this time we want to launch PSexec but the argument of this PSexec is not to add a new user because it is not truly gone to a disconnected network but we want to launch a powershell and the argument of the powershell is an uncoded payload, we’ll see later what is this payload. This time we count precise the comp- the attacker computer because no, uh, computer of the disconnect-disconnected network is p- is, uh, known in this WSUS servers. Ok. The update is injected. We can see it in the MMC console again. And everything is ok. Now we have to wait that originality administrator as to perform its works to transfer the updates to keep up to date this disconnected network. So that’s the administrator is connected on the, uh, WSUS server, looking to the connected network It, um [clears throat] administrator transfer the update- the update binary and launch the WSUS tools provided b-by Microsoft to export the metadata from the database to an external device. After transferring the device and the disconnected network, we can import the updates. So with that, we copy the WSUS contact directory into the connected network, and launch again the WsusUtil to import metadata into the database. Now we can see the update in the WSUS servers located in the disconnected network. We can see some information like the classification, the secret- the, um, update as a security updates classification. We can see some of the information like the Microsoft bulletin and that’s 1710. The bulletin describes the IT exploit by WannaCry and the description is that all this information are, um, controlled by the metadata, sold by the WSUS, uh, WSUS responder. Now the preview of the WSUS servers depend on the configuration of the servers. If we check in the option, we can see that the default automatic approval rule is set. This option is active- is, uh, in a, uh, is present by default- but not active by default. In this case the administrator just enabled it. This would say that if we are in case of security updates classification that update would be automatically approved. So if, uh, it’s not, uh, it’s, uh, the case here so the update would be approved for all the computers. Now we go and, uh, Vteam. Vteam is-is a computer in the, um, disconnected network and we have to wait the Vteam search if a new update is available. We can test it again by click and “check for updates” and normally the update will be- uh, will arrived instead with system privileges. And if everything is ok, something will be open. Ok. Remember that the administrator just want just to update the-the disconnected network to protect again some ransomware as example. And after doing it, we see the effect is a little bit different. [applause] As an attacker we just have to wait for money now. Ok. So we have compromised the connected network. We have, uh, managed to transfer an update- a manager update to the disconnected network. And we have compromised the disconnected network. Ok. In conclusion, we can see that if we have, uh, WSUS servers in, uh- [laughter] If we have, uh, WSUS servers in, uh, the network, we have control relationship from the WSUS servers to all these clients. So we need to be careful about the positioning of this WSUS servers. When you design a new architecture, we, uh, we have to, uh, change with the WSUS servers. Thanks for your attention. [applause]