Slippery Windows Updates' SOAP bubbles up SYSTEM priveleges Microsoft has bungled Windows Server Update Services (WSUS), according to hackers Paul Stone and Alex Chapman, with insecure defaults that let them hijack OS updates. Attackers that have previously gained admin privilege on a target system can elevate themselves to system-level access by skipping the normal signed update …
"WSUS installations are safe if system administrators follow Microsoft hardening guidelines including using SSL"
So follow good practice, and you're OK. And if you haven't applied SSL and they can't break in to your network then you're still OK?
Might have a quick look at config later just to be sure
Well, the assumption is that on Windows, Administrator has lower rights than LocalSystem (latter would be root equivalent, while the former is not). Of course, since Administrator has enough rights to install any software including services running under LocalSystem, that is nothing else but an interesting way to make the hack a little less obvious (because who would suspect Windows Update ?)
Theoretically, it would also allow you to move laterally in some environments where the deployment of Windows updates is managed by a centralised server. Get local admin on that server via, say, a compromised service account (people seem to love giving their service accounts local admin) and you could effectively weaponise updates deployed to other hosts.
"So attackers that already have admin access can compromise the device?"
Windows has fine grained ACLs and constrained delegation, so that accounts like "administrator" can have only the rights they actually need.
You can also lock down the administrator account and restrict it's system access rights if you want to. So even with admin rights on Windows sometimes elevating privileges is required to be able to hack something.
It's perfectly relevant as Microsoft have a habit of recycling crufty old code and they have just opened up multiple P2P connections to untrusted computer which are on by default.
As for admin rights, all you need to do is couple it with a privilege escalation bug exploit and oops.
More interesting than the WSUS and ARP spoofing is the awareness of the fact you could easily make a usb device with an arduino to spoof being a certain piece of hardware. That gives you the ability to install 533 different kernel drivers from 3rd parties. There has to be an exploit in one of them. No doubt one of our government agencies will probably have such a device already.
Just one more attack hole to add to the theory that if you have physical access, it's game over.
In the past, El Reg has carried stories of hardware vendors who were caught creating USB devices that initially identified themselves as keyboards and then injected commands to install their payload whether the user agreed or not. Since the USB standards for such basic devices are implemented by a Microsoft driver, I'm not sure you even need to find an exploit.
See http://www.theregister.co.uk/2014/07/31/black_hat_hackers_drive_truck_through_hole_in_usb_security/ and links therein.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
