{"id":669,"date":"2020-09-18T15:01:07","date_gmt":"2020-09-18T22:01:07","guid":{"rendered":"https:\/\/fr.gosec.net\/?p=669"},"modified":"2020-09-18T15:01:07","modified_gmt":"2020-09-18T22:01:07","slug":"on-the-shoulder-of-giants-reviving-wsus-attacks","status":"publish","type":"post","link":"https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/","title":{"rendered":"On the Shoulder of Giants: Reviving WSUS Attacks"},"content":{"rendered":"

[et_pb_section fb_built=\u00a0\u00bb1″ _builder_version=\u00a0\u00bb4.6.0″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb][et_pb_row _builder_version=\u00a0\u00bb4.6.0″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb collapsed=\u00a0\u00bboff\u00a0\u00bb][et_pb_column type=\u00a0\u00bb4_4″ _builder_version=\u00a0\u00bb4.6.0″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb][et_pb_text _builder_version=\u00a0\u00bb4.6.0″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb]<< Back to Sessions<\/a>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=\u00a0\u00bb2_3,1_3″ _builder_version=\u00a0\u00bb4.6.0″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb][et_pb_column type=\u00a0\u00bb2_3″ _builder_version=\u00a0\u00bb4.6.0″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb][et_pb_text _builder_version=\u00a0\u00bb4.6.0″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb]<\/p>\n

On the Shoulder of Giants: Reviving WSUS Attacks<\/h2>\n

In 2015, Paul Stone and Alex Chapman presented a novel attack at the BlackHat USA conference. Their talk covered their exploration of the usual enterprise deployment of the Windows Update infrastructure (WSUS) and culminated into the release of WSUSpect-proxy, a tool that allows attackers to inject malicious updates and compromise hosts during a Machine-in-the-Middle (MITM) attack.<\/p>\n

Five years later, this tool has been poorly maintained and, even with this threat uncovered, we still see unencrypted WSUS servers in almost all our intrusion testing engagements. This highlights the fact that the threat is largely underestimated. First, its implementation encourages an HTTP-based deployment which is vulnerable by design. Furthermore, even organizations willing to harden WSUS will struggle to achieve a secure deployment since its technical resources and online documentation are lacking. In an effort to nail the coffin once and for all on HTTP-based WSUS, we wanted to dig deeper into the issue and performed CPR on the WSUSpect-proxy tool.<\/p>\n

This presentation will cover our research into WSUS, our new twist on the WSUS attack vector, and our revival of the WSUSpect-proxy threat model. Our research resulted in the birth of four different tools covering three different attack scenarios. Scenarios include previously undocumented techniques, while others describe bounty-awarded yet-to-be-disclosed Microsoft 0-days. This talk will bring value to both intrusion testers and defenders by covering both sides of these scenarios, from exploitation to detection and mitigation.<\/p>\n

Learn more about Maxime Nadeau<\/a>
\nLearn more about Romain Carnus<\/a>
\n[\/et_pb_text][\/et_pb_column][et_pb_column type=\u00a0\u00bb1_3″ _builder_version=\u00a0\u00bb4.6.0″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb][et_pb_image src=\u00a0\u00bbhttps:\/\/fr.gosec.net\/wp-content\/uploads\/Nadeau_Carnus_Novis_GoSec2020_vertical.png\u00a0\u00bb alt=\u00a0\u00bbGreg Young\u00a0\u00bb title_text=\u00a0\u00bbNadeau_Carnus_Novis_GoSec2020_vertical\u00a0\u00bb _builder_version=\u00a0\u00bb4.6.0″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb hover_enabled=\u00a0\u00bb0″ sticky_enabled=\u00a0\u00bb0″][\/et_pb_image][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

In 2015, Paul Stone and Alex Chapman presented a novel attack at the BlackHat USA conference. Their talk covered their exploration of the usual enterprise deployment of the Windows Update infrastructure (WSUS) and culminated into the release of WSUSpect-proxy, a tool that allows attackers to inject malicious updates and compromise hosts during a Machine-in-the-Middle (MITM) attack.<\/p>\n

Five years later, this tool has been poorly maintained and, even with this threat uncovered, we still see unencrypted WSUS servers in almost all our intrusion testing engagements. This highlights the fact that the threat is largely underestimated. First, its implementation encourages an HTTP-based deployment which is vulnerable by design. Furthermore, even organizations willing to harden WSUS will struggle to achieve a secure deployment since its technical resources and online documentation are lacking. In an effort to nail the coffin once and for all on HTTP-based WSUS, we wanted to dig deeper into the issue and performed CPR on the WSUSpect-proxy tool.<\/p>\n

This presentation will cover our research into WSUS, our new twist on the WSUS attack vector, and our revival of the WSUSpect-proxy threat model. Our research resulted in the birth of four different tools covering three different attack scenarios. Scenarios include previously undocumented techniques, while others describe bounty-awarded yet-to-be-disclosed Microsoft 0-days. This talk will bring value to both intrusion testers and defenders by covering both sides of these scenarios, from exploitation to detection and mitigation.<\/p>\n

Learn more about Maxime Nadeau<\/a><\/p>\n

Learn more about Romain Carnus<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","_price":"","_stock":"","_tribe_ticket_header":"","_tribe_default_ticket_provider":"","_tribe_ticket_capacity":"","_ticket_start_date":"","_ticket_end_date":"","_tribe_ticket_show_description":"","_tribe_ticket_show_not_going":false,"_tribe_ticket_use_global_stock":"","_tribe_ticket_global_stock_level":"","_global_stock_mode":"","_global_stock_cap":"","_tribe_rsvp_for_event":"","_tribe_ticket_going_count":"","_tribe_ticket_not_going_count":"","_tribe_tickets_list":"[]","_tribe_ticket_has_attendee_info_fields":false,"footnotes":""},"categories":[12],"tags":[],"class_list":["post-669","post","type-post","status-publish","format-standard","hentry","category-session"],"yoast_head":"\nOn the Shoulder of Giants: Reviving WSUS Attacks - GoSec<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"On the Shoulder of Giants: Reviving WSUS Attacks - GoSec\" \/>\n<meta property=\"og:description\" content=\"In 2015, Paul Stone and Alex Chapman presented a novel attack at the BlackHat USA conference. Their talk covered their exploration of the usual enterprise deployment of the Windows Update infrastructure (WSUS) and culminated into the release of WSUSpect-proxy, a tool that allows attackers to inject malicious updates and compromise hosts during a Machine-in-the-Middle (MITM) attack.Five years later, this tool has been poorly maintained and, even with this threat uncovered, we still see unencrypted WSUS servers in almost all our intrusion testing engagements. This highlights the fact that the threat is largely underestimated. First, its implementation encourages an HTTP-based deployment which is vulnerable by design. Furthermore, even organizations willing to harden WSUS will struggle to achieve a secure deployment since its technical resources and online documentation are lacking. In an effort to nail the coffin once and for all on HTTP-based WSUS, we wanted to dig deeper into the issue and performed CPR on the WSUSpect-proxy tool.This presentation will cover our research into WSUS, our new twist on the WSUS attack vector, and our revival of the WSUSpect-proxy threat model. Our research resulted in the birth of four different tools covering three different attack scenarios. Scenarios include previously undocumented techniques, while others describe bounty-awarded yet-to-be-disclosed Microsoft 0-days. This talk will bring value to both intrusion testers and defenders by covering both sides of these scenarios, from exploitation to detection and mitigation.Learn more about Maxime NadeauLearn more about Romain Carnus\" \/>\n<meta property=\"og:url\" content=\"https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"GoSec\" \/>\n<meta property=\"article:published_time\" content=\"2020-09-18T22:01:07+00:00\" \/>\n<meta name=\"author\" content=\"GoSec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@GoSec\" \/>\n<meta name=\"twitter:site\" content=\"@GoSec\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"GoSec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/blog\\\/2020\\\/09\\\/18\\\/on-the-shoulder-of-giants-reviving-wsus-attacks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/blog\\\/2020\\\/09\\\/18\\\/on-the-shoulder-of-giants-reviving-wsus-attacks\\\/\"},\"author\":{\"name\":\"GoSec\",\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/#\\\/schema\\\/person\\\/597cc888d84847d4d4199e9a331e8cab\"},\"headline\":\"On the Shoulder of Giants: Reviving WSUS Attacks\",\"datePublished\":\"2020-09-18T22:01:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/blog\\\/2020\\\/09\\\/18\\\/on-the-shoulder-of-giants-reviving-wsus-attacks\\\/\"},\"wordCount\":398,\"publisher\":{\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/#organization\"},\"articleSection\":[\"Sessions\"],\"inLanguage\":\"fr-FR\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/blog\\\/2020\\\/09\\\/18\\\/on-the-shoulder-of-giants-reviving-wsus-attacks\\\/\",\"url\":\"https:\\\/\\\/gosec.net\\\/fr\\\/blog\\\/2020\\\/09\\\/18\\\/on-the-shoulder-of-giants-reviving-wsus-attacks\\\/\",\"name\":\"On the Shoulder of Giants: Reviving WSUS Attacks - GoSec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/#website\"},\"datePublished\":\"2020-09-18T22:01:07+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/blog\\\/2020\\\/09\\\/18\\\/on-the-shoulder-of-giants-reviving-wsus-attacks\\\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/gosec.net\\\/fr\\\/blog\\\/2020\\\/09\\\/18\\\/on-the-shoulder-of-giants-reviving-wsus-attacks\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/blog\\\/2020\\\/09\\\/18\\\/on-the-shoulder-of-giants-reviving-wsus-attacks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/gosec.net\\\/fr\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"On the Shoulder of Giants: Reviving WSUS Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/#website\",\"url\":\"https:\\\/\\\/gosec.net\\\/fr\\\/\",\"name\":\"GoSec\",\"description\":\"Together, let\u2019s inspire, educate, and shape the future of cybersecurity\",\"publisher\":{\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/gosec.net\\\/fr\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/#organization\",\"name\":\"GoSec\",\"url\":\"https:\\\/\\\/gosec.net\\\/fr\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/gosec.net\\\/wp-content\\\/uploads\\\/GoSec24-color.png\",\"contentUrl\":\"https:\\\/\\\/gosec.net\\\/wp-content\\\/uploads\\\/GoSec24-color.png\",\"width\":2000,\"height\":800,\"caption\":\"GoSec\"},\"image\":{\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/GoSec\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/gosec22-conference\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/gosec.net\\\/fr\\\/#\\\/schema\\\/person\\\/597cc888d84847d4d4199e9a331e8cab\",\"name\":\"GoSec\",\"sameAs\":[\"http:\\\/\\\/gosec.wpengine.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"On the Shoulder of Giants: Reviving WSUS Attacks - GoSec","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/","og_locale":"fr_FR","og_type":"article","og_title":"On the Shoulder of Giants: Reviving WSUS Attacks - GoSec","og_description":"In 2015, Paul Stone and Alex Chapman presented a novel attack at the BlackHat USA conference. Their talk covered their exploration of the usual enterprise deployment of the Windows Update infrastructure (WSUS) and culminated into the release of WSUSpect-proxy, a tool that allows attackers to inject malicious updates and compromise hosts during a Machine-in-the-Middle (MITM) attack.Five years later, this tool has been poorly maintained and, even with this threat uncovered, we still see unencrypted WSUS servers in almost all our intrusion testing engagements. This highlights the fact that the threat is largely underestimated. First, its implementation encourages an HTTP-based deployment which is vulnerable by design. Furthermore, even organizations willing to harden WSUS will struggle to achieve a secure deployment since its technical resources and online documentation are lacking. In an effort to nail the coffin once and for all on HTTP-based WSUS, we wanted to dig deeper into the issue and performed CPR on the WSUSpect-proxy tool.This presentation will cover our research into WSUS, our new twist on the WSUS attack vector, and our revival of the WSUSpect-proxy threat model. Our research resulted in the birth of four different tools covering three different attack scenarios. Scenarios include previously undocumented techniques, while others describe bounty-awarded yet-to-be-disclosed Microsoft 0-days. This talk will bring value to both intrusion testers and defenders by covering both sides of these scenarios, from exploitation to detection and mitigation.Learn more about Maxime NadeauLearn more about Romain Carnus","og_url":"https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/","og_site_name":"GoSec","article_published_time":"2020-09-18T22:01:07+00:00","author":"GoSec","twitter_card":"summary_large_image","twitter_creator":"@GoSec","twitter_site":"@GoSec","twitter_misc":{"\u00c9crit par":"GoSec","Dur\u00e9e de lecture estim\u00e9e":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/#article","isPartOf":{"@id":"https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/"},"author":{"name":"GoSec","@id":"https:\/\/gosec.net\/fr\/#\/schema\/person\/597cc888d84847d4d4199e9a331e8cab"},"headline":"On the Shoulder of Giants: Reviving WSUS Attacks","datePublished":"2020-09-18T22:01:07+00:00","mainEntityOfPage":{"@id":"https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/"},"wordCount":398,"publisher":{"@id":"https:\/\/gosec.net\/fr\/#organization"},"articleSection":["Sessions"],"inLanguage":"fr-FR"},{"@type":"WebPage","@id":"https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/","url":"https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/","name":"On the Shoulder of Giants: Reviving WSUS Attacks - GoSec","isPartOf":{"@id":"https:\/\/gosec.net\/fr\/#website"},"datePublished":"2020-09-18T22:01:07+00:00","breadcrumb":{"@id":"https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/gosec.net\/fr\/blog\/2020\/09\/18\/on-the-shoulder-of-giants-reviving-wsus-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/gosec.net\/fr\/"},{"@type":"ListItem","position":2,"name":"On the Shoulder of Giants: Reviving WSUS Attacks"}]},{"@type":"WebSite","@id":"https:\/\/gosec.net\/fr\/#website","url":"https:\/\/gosec.net\/fr\/","name":"GoSec","description":"Together, let\u2019s inspire, educate, and shape the future of cybersecurity","publisher":{"@id":"https:\/\/gosec.net\/fr\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/gosec.net\/fr\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Organization","@id":"https:\/\/gosec.net\/fr\/#organization","name":"GoSec","url":"https:\/\/gosec.net\/fr\/","logo":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/gosec.net\/fr\/#\/schema\/logo\/image\/","url":"https:\/\/gosec.net\/wp-content\/uploads\/GoSec24-color.png","contentUrl":"https:\/\/gosec.net\/wp-content\/uploads\/GoSec24-color.png","width":2000,"height":800,"caption":"GoSec"},"image":{"@id":"https:\/\/gosec.net\/fr\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/GoSec","https:\/\/www.linkedin.com\/company\/gosec22-conference\/"]},{"@type":"Person","@id":"https:\/\/gosec.net\/fr\/#\/schema\/person\/597cc888d84847d4d4199e9a331e8cab","name":"GoSec","sameAs":["http:\/\/gosec.wpengine.com"]}]}},"_links":{"self":[{"href":"https:\/\/gosec.net\/fr\/wp-json\/wp\/v2\/posts\/669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gosec.net\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gosec.net\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gosec.net\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gosec.net\/fr\/wp-json\/wp\/v2\/comments?post=669"}],"version-history":[{"count":0,"href":"https:\/\/gosec.net\/fr\/wp-json\/wp\/v2\/posts\/669\/revisions"}],"wp:attachment":[{"href":"https:\/\/gosec.net\/fr\/wp-json\/wp\/v2\/media?parent=669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gosec.net\/fr\/wp-json\/wp\/v2\/categories?post=669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gosec.net\/fr\/wp-json\/wp\/v2\/tags?post=669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}