search

GoSecure / pywsus

Standalone implementation of a part of the WSUS spec. Built for offensive security purposes.
https://gosecure.net/blog/
MIT License
286 stars 44 forks source link

Cannot replicate the PoC on Windows 10 #8

Closed yotabytes closed 3 years ago

yotabytes commented 3 years ago

Does the tool still correctly respond to syncupdates requests initiated on Windows 10 machines?

I have tried to replicate the PoC and set up a lab domain (Hyper-V) with a single domain controller (server 2016), and a single domain-joined Win10. Wsus has been configured with setting 3 and enabled.

After successfully arp poisoning and having "arp -a" showing the MAC address of the kali where pywsus is running, it was possible for pywsus to receive update requests. Whenever 'check for updates' is clicked on Win10, pywsus received a SyncUpdates SOAP HTTP request. However, unlike the PoC, a GetExtendedUpdateInfo request is never received by pywsus.

The Win10 updates GUI shows an error (code 80240439) contacting the update server.

The win10 wsus update log shows the following: (selected extract for brevity):

2021/04/28 12:40:08.8297096 1224 7052 WebServices Auto proxy settings for this web service call. 2021/04/28 12:40:08.8784820 1224 7052 WebServices FAILED [80240439] Web service call 2021/04/28 12:40:08.8784833 1224 7052 WebServices Current service auth scheme=0. 2021/04/28 12:40:08.8784839 1224 7052 WebServices Current Proxy auth scheme=0. 2021/04/28 12:40:08.8785000 1224 7052 Misc Got WSUS Client/Server URL: http://WIN-LUL8KLLSCLH:8530/ClientWebService/client.asmx"" 2021/04/28 12:40:08.8807925 1224 7052 WebServices Proxy Behavior set to 1 for service url http://WIN-LUL8KLLSCLH:8530/ClientWebService/client.asmx 2021/04/28 12:40:08.8807971 1224 7052 ProtocolTalker FAILED [80240439] SyncUpdates_WithRecovery failed 2021/04/28 12:40:08.8808013 1224 7052 IdleTimer WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 1303) stopped; does use network; is at background priority 2021/04/28 12:40:08.8808067 1224 7052 ProtocolTalker SyncUpdates round trips: 1 2021/04/28 12:40:08.8808077 1224 7052 ProtocolTalker FAILED [80240439] Sync of Updates 2021/04/28 12:40:08.8808160 1224 7052 ProtocolTalker FAILED [80240439] SyncServerUpdatesInternal failed 2021/04/28 12:40:08.8845612 1224 7052 Agent FAILED [80240439] Synchronize

The Windows 10 VM details are as follows:

Host Name: WIN10 OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.18363 N/A Build 18363 OS Manufacturer: Microsoft Corporation Hotfix(s): 10 Hotfix(s) Installed.

                       [02]: KB4513661
                       [03]: KB4516115
                       [04]: KB4517245
                       [05]: KB4521863
                       [06]: KB4577586
                       [07]: KB4580325
                       [08]: KB4589211
                       [09]: KB5001406
                       [10]: KB5001337

I am wondering if there is either a configuration setting that is required for this to be exploitable that I may have missed, or changes may have been made to the communication protocol wherein the SOAP response from pywsus is not considered valid, or security changes have been made that stop the rogue WSUS server from successfully proceeding to patch downloading.

Note I have tried this with both the Windows firewall and windows Defender disabled and enabled, with the same outcome.

nitbx commented 3 years ago

Hi @yotabytes,

It really looks like #6.

Indeed Microsoft changed a little bit the behaviour of WSUS, but I think it should not block us to perform this attack with a WSUS HTTP server.

I will try with the ARP spoofing like you did.

Thank you.

nitbx commented 3 years ago

Hi @yotabytes,

I can confirm the attack work targeting Windows 10 Pro with Bettercap ( Arp spoofing). I would need to double-check with Windows 10 Enterprise.

OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19042 N/A Build 19042
[...]
11 Hotfix(s) Installed.
                           [01]: KB4601554
                           [02]: KB4562830
                           [03]: KB4570334
                           [04]: KB4577266
                           [05]: KB4577586
                           [06]: KB4580325
                           [07]: KB4586864
                           [08]: KB4589212
                           [09]: KB4598481
                           [10]: KB5001330
                           [11]: KB5001405

image

nitbx commented 3 years ago

Microsoft Windows 10 Enterprise 10.0.19042 N/A Build 19042 has tested and it's working.

image

Hotfix(s):                 8 Hotfix(s) Installed.
                           [01]: KB4601554
                           [02]: KB4562830
                           [03]: KB4570334
                           [04]: KB4577266
                           [05]: KB4577586
                           [06]: KB4580325
                           [07]: KB5001391
                           [08]: KB5003156
nitbx commented 3 years ago

This commit should help debug in Wireshark. (HTTP traffic was not correctly shown.)

https://github.com/GoSecure/pywsus/commit/7372d07361e13e38a571ab642d326283cbaec7a8

fneur commented 3 years ago

@nitbx Is the tool still working for you? (PoC is not working for me; log says "found 0 updates and 0 categories", hence call for extended info + subsequent download are not executed)

nitbx commented 3 years ago

Hi @fneur, I didn’t have the chance to use it recently but in April I made the demonstration that the tool still works. I have doubts that the attack doesn’t work anymore.

I would invite you to make a new issue with your setup information like we did here.

Thank you !

fneur commented 3 years ago

@nitbx Thanks for the quick reply. See #10 !