Ian Campbell π΄
neurovagrant@masto.deoan.org
oh
oh yikes
low-complexity 9.8 sev RCE on Windows Server Update Service, with vulnerability going back to at least 2012, and a PoC already out.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
2
1
0
Ian Campbell π΄
neurovagrant@masto.deoan.org
1
0
0
1
1
0
@cR0w @neurovagrant @hrbrmstr is wsus just 'on by default' on windows server? or is it something you have to enable first so that it can be exploited over the internet?
3
0
0
Ian Campbell π΄
neurovagrant@masto.deoan.org
2
0
0
Ξ±xel simon βοΈβοΈβοΈ
axx@mstdn.fr@neurovagrant Someone at an APT nearby is having a bad day.
There goes that reliable exploit they've used to coast through their career for the past 13 years!
0
1
0
@neurovagrant @cR0w @hrbrmstr i just went and piddled. looks like if a windows box has 8530/8531 open and that is in fact wsus, then its game on
0
0
0
B'ad Samurai π
badsamurai@infosec.exchange@neurovagrant @Viss @cR0w @hrbrmstr
Good thing no one is using WSUS anymore right. R I G H T?
2
1
0
Ian Campbell π΄
neurovagrant@masto.deoan.org@badsamurai @Viss @cR0w @hrbrmstr vuln goes back to at least WS2012, too.
Remember how many WS2012 clusters are still out there on the internet?
0
0
0
Mark Koek
mkoek@mastodon.nl
@Viss @cR0w @neurovagrant @hrbrmstr Not on by default if I rtfa correctly. But I do love critical vulns in services Iβve recommended to a gazillion clients over the yearsβ¦
1
0
0
@badsamurai @neurovagrant @cR0w @hrbrmstr well its not like, insane..
2
0
0
@neurovagrant @mkoek @cR0w @hrbrmstr thisll be one of those privesc kinda deals huh
3
0
0
@neurovagrant @mkoek @cR0w @hrbrmstr i wonder if someone non admin can twiddle windows server to enable wsus, then exploit it to get system
1
0
0
buherator
buherator
0
0
0
Fritz Adalis
FritzAdalis@infosec.exchange@Viss @badsamurai @neurovagrant @cR0w @hrbrmstr
Oh it's only vulnerable if 8530/8531 is exposed? That'll help.
1
0
0
@FritzAdalis @badsamurai @neurovagrant @cR0w @hrbrmstr looks like wsus is just a webapp that runs as system under iis on a funny port
2
0
0
Mark Koek
mkoek@mastodon.nl@Viss @neurovagrant @cR0w @hrbrmstr apparently a lot of these ports are open, even on the internet :(
1
0
0
@neurovagrant @Viss @cR0w @hrbrmstr no need, you can push malicious updates to the rest of the network from that box
1
0
0
@mkoek @neurovagrant @cR0w @hrbrmstr yup, once you own wsus, you own the thing that pushes the updates
1
0
0
Fritz Adalis
FritzAdalis@infosec.exchange@Viss @badsamurai @neurovagrant @cR0w @hrbrmstr
More or less, yeah. Thanks!
0
0
0
@mkoek @neurovagrant @cR0w @hrbrmstr if you didnt have domain admin by then, you DEFINITELY DO NOW
0
0
0
Maxime Thiebaut
0xThiebaut@infosec.exchange@Viss @badsamurai @neurovagrant @cR0w @hrbrmstr 30 honeypots go brrrr
1
0
0
@0xThiebaut @badsamurai @neurovagrant @cR0w @hrbrmstr heh, 900,000 of em gonna spin up today too, surely
0
0
0
hrbrmstr πΊπ¦ π¬π± π¨π¦ π³οΈβπ
hrbrmstr@mastodon.social@neurovagrant @mkoek @Viss @cR0w We just modified a sensor profile to expose WSUS in various locales. Will keep y'all posted.
2
0
0
@hrbrmstr @neurovagrant @mkoek @cR0w where did i leave that threatbutt log script...
0
0
0
Ian Campbell π΄
neurovagrant@masto.deoan.org@hrbrmstr @mkoek @Viss @cR0w @0xThiebaut I half expect this to get bad enough that we'll need a hashtag and MS paint logo shortly
2
0
0
@neurovagrant @hrbrmstr @mkoek @Viss @0xThiebaut I don't have a computer to update the GAYINT pew pew map today. π
1
0
0
@neurovagrant @hrbrmstr @mkoek @cR0w @0xThiebaut eh, shodan doesnt show many directly exposed, but i bet therell be malware that suddenly starts scanning lans for 8350
1
0
0
@neurovagrant @hrbrmstr @mkoek @cR0w @0xThiebaut its amazing how well 'the fucked up shit isnt on by default' helps in terms of limiting blast radius
0
0
0
@neurovagrant @Viss @mkoek @cR0w @hrbrmstr
Man I wish I was on an internal op this week π
1
0
0
@winterknight1337 @neurovagrant @mkoek @cR0w @hrbrmstr theres a chance i may be able to use this before it gets fully patched out, but it would mean someone suddenly got REAL EXCITED about signing a gig
0
0
0
@Viss @FritzAdalis @badsamurai @neurovagrant @cR0w @hrbrmstr correct, not installed by default (but easy to do) It also came/comes with a MSDE install in case you didn't have a SQL server
Also, self-signed certificates - if at all.
... Ugh, so many memories coming back having to install and operate it on SBS (Small Business Server) amongst other places
2
0
0
nyanbinary (365d/y spoopy)
nyanbinary@infosec.exchange@cR0w @neurovagrant @hrbrmstr @mkoek @Viss @0xThiebaut just give me the password, I'll do it for you 
1
0
0
0
0
0
@Viss @FritzAdalis @badsamurai @neurovagrant @cR0w @hrbrmstr sorry, but I just remembered something: doesn't/didn't SCCM also use or cannibalise WSUS for its update distribution points? If so, wouldn't those also be affected? 
And the reporting/collection servers (I forgot what they were exactly called but basically the servers you could designate as the ones receiving the telemetry back - so you could split that and the actual distribution across servers)
2
0
0
0
0
0
@Viss @FritzAdalis @badsamurai @neurovagrant @cR0w @hrbrmstr Ah, I remembered correctly:
"When you use a software update point on a server other than the site server, install the WSUS Administration Console on the site server."
Might be of interest to confirm if the spicy stuff also works on those servers
K, I'll shut up now :)
1
0
0
@aprazeth @Viss @badsamurai @neurovagrant @cR0w @hrbrmstr
The admin console is just an MMC, so probably not.
0
0
0
B'ad Samurai π
badsamurai@infosec.exchangeGood thing everyone has 100% deployment of 802.1x, right? R I G H T?
1
0
0
@badsamurai @aprazeth @FritzAdalis @neurovagrant @cR0w @hrbrmstr
i've been doing this shit a very long time
and the thing i can tell you with great certainty is:
the people who read logs
and the people who ignore logs
are great ways to define 'how an org do'. You typically do not need to look further than that to understand their security chops
2
1
0
Ian Campbell π΄
neurovagrant@masto.deoan.org@Viss @badsamurai @aprazeth @FritzAdalis @cR0w @hrbrmstr loghunting gives my brain the warm fuzzies
3
1
0
@neurovagrant @badsamurai @aprazeth @FritzAdalis @cR0w @hrbrmstr ive had literally people swear at me in the past because i have a habit of ctail -f /var/log/apache2/*log
1
0
0
@neurovagrant @badsamurai @aprazeth @FritzAdalis @cR0w @hrbrmstr also if you dont know about ctail yet, i highly recommend
1
0
0
Fritz Adalis
FritzAdalis@infosec.exchange@Viss @neurovagrant @badsamurai @aprazeth @cR0w @hrbrmstr
Multitail is also good. I used to use it for sendmail logs.
0
0
0
Fritz Adalis
FritzAdalis@infosec.exchange@Viss @badsamurai @aprazeth @neurovagrant @cR0w @hrbrmstr
It's also fun when it dawns on someone that they should be reading logs.
1
0
0
Ian Campbell π΄
neurovagrant@masto.deoan.org@FritzAdalis @Viss @badsamurai @aprazeth @cR0w @hrbrmstr or when it dawns on Microsoft a configuration change invalidated the logs for months
0
0
0
B'ad Samurai π
badsamurai@infosec.exchangeSamesies. But we need a worst log contest. This one I used to parse for fleet telematics combined syslog, json and XML into the same file. ΒΏPor quΓ©?
1
0
0
Ian Campbell π΄
neurovagrant@masto.deoan.org@badsamurai whoever did that should be tried in the hague
0
0
0
@neurovagrant
I would make a little nest of syslog to nap in, if i could
1
1
0
@neurovagrant @h2onolan its absolutely fucking bonkers to me that people pay for shit like splunk first without even considering a centralized syslog server with some kinda opensource gui to process stuff
2
0
0
sexy compost
h2onolan@infosec.exchangeNerdfession: i run a vps with elastic for the sole purpose of pointing random shit at it and inspecting log entries.
1
0
0
@h2onolan @neurovagrant
[fumbles to setup a troll syslog client to squirt bullshit across the internet]
1
0
0
@neurovagrant @h2onolan heh, youd think the solutions that are straightforward, with copious documentation and a community surrounding them would be the things folks go for, citing things like "operational and business continuity" and "transferability", but no - they go with sap and some custom oracle bullshit that two guys know, who you keep finding in pro-nazi forum dump/leaks
0
0
0
@neurovagrant @h2onolan @cR0w @catsalad
goddammit. i need to go fetch that logpush thing i wrote when i pushed threatbutt ascii art into @da_667's logs a few years ago.
1
0
0
@h2onolan @neurovagrant @cR0w @catsalad @da_667 okay. well..
i found the ascii art .. but not the script. so i guess im writing some kinda wrapper to take stuff like this and schlorp it into logs and be able to parse whitespace correctly...
(i have no idea wtf that path is. i dunno why its there. this is super weird. wtf, past me, were you thinking?)
0
0
0