Paul Stone and Alex Chapman of our research team havereleased an open-source tool, ‘WSUSpect Proxy’ designed to help pen-testersdemonstrate the risks of insecurely configured WSUS systems.
The tool was firstdemonstrated during their Black Hat USA 2015 talk, ‘WSUSpect – Compromising theWindows Enterprise via Windows Update’.
An outline of the talk and a copy of the presentation can be found below.
WSUSpect - Compromising the Windows Enterprise via Windows Update
Ever wondered what really happens when you plug in a USB device and Windows begins 'searching for Drivers'? Who doesn't have that Windows Update reboot dialog sitting in the corner of their desktop? Our talk will take an exciting look at one of the dullest corners of the Windows OS.
WSUS (Windows Server Update Services) allows admins to co-ordinate software updates to servers and desktops throughout their organisation. Whilst all updates must be signed by Microsoft, we find other routes to deliver malicious updates to Windows systems using WSUS. We will demonstrate how a default WSUS deployment can be leveraged to gain SYSTEM level access to machines on the local network.
We also take a look at exactly what happens when you plug in a new USB device into a Windows desktop. There are thousands Microsoft-signed updates for 3rd party drivers available through Windows Update. We show how driver installs can be triggered by low privileged users and look at the insecurities that can be introduced by these Microsoft-blessed drivers.
In addition to some exciting demos we will also describe how to lock down enterprise WSUS configurations to avoid these "on by default" vulnerabilities.
You have 1 malicious update ready to install...