At the beginning of the research, the aim was to explore the attack surface presented by Windows Update in a corporate environment. This led our researchers to focus on two main areas – the 3rd party drivers available through Windows Update, and Windows Server Update Services (WSUS) which allows updates to be managed and distributed on local intranets.
In this whitepaper we present our investigations into Windows Update, how it can be abused by low privileged users to expand the operating attack surface and finally how insecurely configured enterprise implementations of Windows Server Update Services (WSUS) can be exploited in local privilege escalation and network attacks.
Our researchers discovered that low privileged users could install a large number of 3rd party drivers, services and accompanying applications through Windows Update by connecting various USB devices. However, when systems are configured with WSUS, individual drivers must be specifically approved by administrators. Although this is an interesting attack vector for non-WSUS users, we chose to move our focus to methods more applicable to the enterprise.
Whilst investigating WSUS-based systems we discovered a critical weakness in the default WSUS configuration. This weakness allows a malicious local network-based attacker or low privileged user to fully compromise target systems that use WSUS to perform updates. During the update process, signed and verified update packages are downloaded and installed to the system. By repurposing existing Microsoft-signed binaries, we were able to demonstrate that an attacker can inject malicious updates in order to execute arbitrary commands.
These are serious weaknesses, however WSUS installations are protected against these attacks if Microsoft’s post-installation guidelines are followed. Full details of the identified attack and remediation instructions can be found in this paper.