gitea-mirror/PEASS-ng
1
0
Fork 0
mirror of https://github.com/peass-ng/PEASS-ng.git synced 2025-12-08 05:40:38 -08:00
Code Issues Packages Projects Releases Wiki Activity

winPEAS: fix potential NRE in WSUS check; add WSUS Server CVE-2025-59287 exposure enumeration

Browse Source
This commit is contained in:
HackTricks News Bot
2025-11-03 18:50:33 +00:00
parent d75525ebbc
commit a0248a7a74
1 changed files with 156 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

157
winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
View File

@@ -78,6 +78,7 @@ namespace winPEAS.Checks
PrintInetInfo, PrintInetInfo,
PrintDrivesInfo, PrintDrivesInfo,
PrintWSUS, PrintWSUS,
PrintWSUSServerCVE2025_59287,
PrintKrbRelayUp, PrintKrbRelayUp,
PrintInsideContainer, PrintInsideContainer,
PrintAlwaysInstallElevated, PrintAlwaysInstallElevated,
@@ -565,7 +566,8 @@ namespace winPEAS.Checks
string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU"; string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer"); string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer");
string using_HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path2, "UseWUServer"); string using_HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path2, "UseWUServer");
if (HKLM_WSUS.Contains("http://")) // Avoid possible NullReferenceException when HKLM_WSUS is null
if (!string.IsNullOrEmpty(HKLM_WSUS) && HKLM_WSUS.Contains("http://"))
{ {
Beaprint.BadPrint(" WSUS is using http: " + HKLM_WSUS); Beaprint.BadPrint(" WSUS is using http: " + HKLM_WSUS);
Beaprint.InfoPrint("You can test https://github.com/pimps/wsuxploit to escalate privileges"); Beaprint.InfoPrint("You can test https://github.com/pimps/wsuxploit to escalate privileges");
@@ -590,6 +592,159 @@ namespace winPEAS.Checks
} }
} }
// New in Nov 2025: Local WSUS server deserialization RCE (CVE-2025-59287) exposure check
// This is a local, non-invasive enumeration: it checks if the WSUS Server role is present,
// whether default WSUS ports are listening, and if the October 23, 2025 OOB patches are installed.
// If WSUS is present, ports 8530/8531 are listening, and the OOB KBs are missing, the host is flagged
// as potentially vulnerable to unauthenticated RCE via unsafe deserialization on WSUS (SYSTEM impact).
static void PrintWSUSServerCVE2025_59287()
{
try
{
Beaprint.MainPrint("WSUS Server RCE (CVE-2025-59287) local exposure");
Beaprint.LinkPrint("https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287", "Checks WSUS role presence, listeners (TCP 8530/8531), and OOB patch status (KB5070881/KB5070882/KB5070883)");
// Detect WSUS Server role presence via registry/service/files
var wsusServerSetup = Helpers.Registry.RegistryHelper.GetRegValues("HKLM", @"SOFTWARE\Microsoft\Update Services\Server\Setup");
var wsusServiceReg = Helpers.Registry.RegistryHelper.GetRegValues("HKLM", @"SYSTEM\CurrentControlSet\Services\WSUSService");
bool wsusFilesPathExists = false;
try
{
string pf = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles);
if (!string.IsNullOrEmpty(pf))
{
var installDir = System.IO.Path.Combine(pf, "Update Services");
wsusFilesPathExists = System.IO.Directory.Exists(installDir);
}
}
catch { }
bool isWsusInstalled = (wsusServerSetup != null && wsusServerSetup.Count > 0) ||
(wsusServiceReg != null && wsusServiceReg.Count > 0) ||
wsusFilesPathExists;
if (!isWsusInstalled)
{
Beaprint.NotFoundPrint();
return;
}
// Gather some basic WSUS details if present
string usingSSL = "";
string portNumber = "";
try
{
if (wsusServerSetup != null)
{
wsusServerSetup.TryGetValue("UsingSSL", out object usingSSLObj);
wsusServerSetup.TryGetValue("PortNumber", out object portObj);
usingSSL = usingSSLObj?.ToString() ?? "";
portNumber = portObj?.ToString() ?? "";
}
}
catch { }
if (!string.IsNullOrEmpty(portNumber))
{
Beaprint.GrayPrint($" WSUS configured port: {portNumber} (UsingSSL={usingSSL})");
}
// Check if default ports are listening
var listeningPorts = new System.Collections.Generic.HashSet<ushort>();
try
{
foreach (var tcp in winPEAS.Info.NetworkInfo.NetworkInfoHelper.GetTcpConnections(winPEAS.Info.NetworkInfo.Enums.IPVersion.IPv4))
{
if (tcp.LocalPort == 8530 || tcp.LocalPort == 8531)
{
if (tcp.State == winPEAS.Info.NetworkInfo.Enums.MibTcpState.Listen)
listeningPorts.Add(tcp.LocalPort);
}
}
foreach (var tcp in winPEAS.Info.NetworkInfo.NetworkInfoHelper.GetTcpConnections(winPEAS.Info.NetworkInfo.Enums.IPVersion.IPv6))
{
if (tcp.LocalPort == 8530 || tcp.LocalPort == 8531)
{
if (tcp.State == winPEAS.Info.NetworkInfo.Enums.MibTcpState.Listen)
listeningPorts.Add(tcp.LocalPort);
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
if (listeningPorts.Count > 0)
{
Beaprint.AnsiPrint(" WSUS listeners detected: " + string.Join(", ", listeningPorts.Select(p => $"TCP {p}")), new System.Collections.Generic.Dictionary<string, string>());
}
else
{
Beaprint.GrayPrint(" No default WSUS listeners (TCP 8530/8531) detected.");
}
// Check for presence of the October 23, 2025 OOB patches
var requiredKbs = new System.Collections.Generic.List<string> { "KB5070881", "KB5070882", "KB5070883" };
var installed = GetInstalledHotfixesLower();
var foundKbs = requiredKbs.Where(k => installed.Contains(k.ToLowerInvariant())).ToList();
if (foundKbs.Any())
{
Beaprint.GoodPrint(" OOB WSUS security update installed: " + string.Join(", ", foundKbs));
Beaprint.GoodPrint(" CVE-2025-59287 likely mitigated.");
}
else
{
// WSUS present and patch missing flag prominently
if (listeningPorts.Contains(8530) || listeningPorts.Contains(8531))
{
Beaprint.BadPrint(" WSUS role detected, default listeners present, and required KB not found.");
Beaprint.BadPrint(" Host may be vulnerable to CVE-2025-59287 (unauthenticated RCE via unsafe deserialization, runs as SYSTEM).");
}
else
{
Beaprint.BadPrint(" WSUS role detected and required KB not found.");
Beaprint.InfoPrint(" No default listeners found; verify WSUS exposure or custom bindings.");
}
Beaprint.InfoPrint(" Mitigate: install KB5070881/KB5070882/KB5070883 (2025-10-23 OOB), restrict/disable WSUS (TCP 8530/8531).");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
// Return set of installed hotfix IDs in lowercase (e.g., {"kb5005565", ...})
private static System.Collections.Generic.HashSet<string> GetInstalledHotfixesLower()
{
var set = new System.Collections.Generic.HashSet<string>();
try
{
using (var search = new System.Management.ManagementObjectSearcher("SELECT HotFixID FROM Win32_QuickFixEngineering"))
using (var results = search.Get())
{
foreach (System.Management.ManagementObject hf in results)
{
var id = (hf["HotFixID"]?.ToString() ?? string.Empty).Trim();
if (!string.IsNullOrEmpty(id))
set.Add(id.ToLowerInvariant());
}
}
}
catch (Exception)
{
// Fall back: keep empty set which means we can't confirm installed KBs.
}
return set;
}
static void PrintKrbRelayUp() static void PrintKrbRelayUp()
{ {
try try