WSUSpect - Compromising the Windows Enterprise via Windows Update

Presented at Black Hat USA 2015, Aug. 5, 2015, 3 p.m. (50 minutes)

Ever wondered what really happens when you plug in a USB device and Windows begins 'searching for Drivers'? Who doesn't have that Windows Update reboot dialog sitting in the corner of their desktop? Our talk will take an exciting look at one of the dullest corners of the Windows OS.

WSUS (Windows Server Update Services) allows admins to co-ordinate software updates to servers and desktops throughout their organisation. Whilst all updates must be signed by Microsoft, we find other routes to deliver malicious updates to Windows systems using WSUS. We will demonstrate how a default WSUS deployment can be leveraged to gain SYSTEM level access to machines on the local network.

We also take a look at exactly what happens when you plug in a new USB device into a Windows desktop. There are thousands Microsoft-signed updates for 3rd party drivers available through Windows Update. We show how driver installs can be triggered by low privileged users and look at the insecurities that can be introduced by these Microsoft-blessed drivers.

In addition to some exciting demos we will also describe how to lock down enterprise WSUS configurations to avoid these "on by default" vulnerabilities.

You have 1 malicious update ready to install...

Presenters:

• Alex Chapman - Context Information Security
  Alex Chapman is a senior consultant for Context Information Security in the UK, where he is heavily involved in security research, including vulnerability discovery, exploitation, bespoke protocol analysis, and binary reverse engineering. He has been credited in security advisories for a number of major software products for vendors such as Citrix, Google, Mozilla and VMware, and has presented at security conferences around the world. His new found interest involves hacking embedded devices, extracting firmware from unknown micro-controllers, and pointing out security flaws which have no place in modern day software.
• Paul Stone - Context Information Security Ltd.
  Paul Stone is a principal consultant for Context Information Security in the UK where he performs security research, penetration testing, and tool development. He has a focus on web application and browser security and has reported a number of vulnerabilities in the major web browsers including Chrome, Internet Explorer, Firefox, and Safari. He has previously spoken at Black Hat USA and Black Hat Europe, presenting the well-received 'Pixel-Perfect Timing Attacks' and 'Next Generation Clickjacking' talks.

Links:

• https://www.blackhat.com/us-15/briefings.html#wsuspect-compromising-the-windows-enterprise-via-windows-update
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - WSUSpect Compromising The Windows Enterprise Via Windows Update.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - WSUSpect Compromising The Windows Enterprise Via Windows Update.mp4
• https://www.youtube.com/watch?v=mU8vw4gRaGs
• https://www.blackhat.com/docs/us-15/materials/us-15-Stone-WSUSpect-Compromising-Windows-Enterprise-Via-Windows-Update.pdf
• https://www.blackhat.com/docs/us-15/materials/us-15-Stone-WSUSpect-Compromising-Windows-Enterprise-Via-Windows-Update-wp.pdf

Similar Presentations:

• Black Hat USA 2017 / WSUSpendu: How to Hang WSUS Clients
• DEF CON 25 (2017) / WSUSpendu: How to hang WSUS clients
• ekoparty 14 (2018) / Don't Trust the NIC: Attacking Windows NDIS Drivers