Microsoft Patch Analysis for

Exploitation
Stephen Sims

1
OS Market Share

• Windows 7 clearly
dominant
• XP still at 7.4%
• ATM Machines
• Embedded systems
• Windows 10 quickly
gaining traction
• Mac OS and Linux still a
small number in Taken on April 29th, 2017 from
https://www.netmarketshare.com/operating-system-
comparison market-share.aspx?qprid=10&qpcustomd=0

2
Application and OS Patching

• Maintaining a handle on the patching of a large number of

systems and applications is complex
• The more users who have Administrative access to their
workstations, the more likely there are going to be unique
applications installed
• Many of which are likely not approved
• Some companies grant all users Administrative access to their computers
• Some vendors make patching easy, such as Microsoft, and others
have no process at all
• Solutions like application whitelisting can be performed, but is
hard when scaling in medium to large organizations
Microsoft Patch Tuesday

• Microsoft releases patches on the second Tuesday of each month,

for now…, and only sometimes (No Feb, 2017 Patches…)
• An effort to help simplify the patching process
• Random patch releases caused many users to miss patches
• However, waiting up to 30 days for the next patch has security concerns
• Emergency patches are released out-of-cycle
• Exploits sometimes released in the days following
• “One-Day Exploits”
• Some vendors will buy exploits for patched privately disclosed
vulnerabilities
Windows as a Service (WaaS)

• Windows has always had various versions (Professional , Home,

Enterprise, Ultimate), service packs, monthly updates, etc…
• Microsoft desires to have all systems in the same known state
• This allows them to perform QA testing on systems in the same state as the
customers receiving updates
• Monthly cumulative updates supersede the prior month’s update and
includes all features and fixes
• Feature updates are deployed multiple times per year
• Quality updates, including security patches, are sent in monthly cumulative packages
• Windows 10, Windows 10 Mobile, and Windows 10 IOT Mobile
all fall under WaaS

5
Typical Patched System in an Enterprise vs. Microsoft Lab

https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview
6
WaaS Servicing Branches

• Three servicing branches are available to allow organizations to

choose when devices are updated
• Current Branch (CB) – Feature updates are immediately available to
systems set not to defer updates
• Good for developers and other groups to test for compatibility issues
• Current Branch for Business (CBB) – Updates deferred for about four
months while vetted by business partners and customers
• After about four months the CB build is assumed
• Quality updates can only be deferred for 30 days using Windows Update for Business,
but up to 12 months with WSUS
• Long-Term Servicing Branch (LTSB) – Updates deferred for an average of
2-3 years as devices are specialized, such as cash machines, medical, and
automotive
7
Patch Distribution

• Windows Update
• Automatic Updates, available in the Control Panel
• Vista, 7, 8,10 and Server 2008/2012/2016
• Automatic Updates has expanded functionality
• Windows Server Update Service (WSUS)
• Enterprise patch management solution
• Control over patch distribution
• Windows Update for Business (WUB) for Windows 10
• Third-party Patch Management Solutions
Reverse Engineering Updates

• It is important to know that good guys, bad guys, and those in-
between often reverse engineer security updates
• Exploitation frameworks such as Metasploit, Core Impact, SAINT Exploit,
and Immunity Canvas want to be able to offer their customers exploits that
are not available by their competitors
• Attackers want to quickly discover the patched vulnerability and attempt to
develop a working exploit before most organizations patch
• The above is often referred to as a “1-day exploit” since there is a race
condition between the time a patch is released and the time systems are
patched
• Reversing patches is an acquired skill and is not limited to
Microsoft updates
9
Obtaining Patches for Analysis Up Until April, 2017
https://technet.microsoft.com/en-us/security/bulletins.aspx

Knowledge Base Number

April, 2017’s Update Changes Format Again…

• You must now go to: https://portal.msrc.microsoft.com/en-

us/security-guidance
• More difficult to navigate
• You can still download
the cumulative update
from here

• You can get the actual

vulnerability information
here:
• https://portal.msrc.microsoft.com/en-us/security-guidance/summary

11
Types of Patches

• Patches for XP and Windows 2000, and 2003 server had

.exe extensions, and still do for extended embedded XP
support
• For example, WindowsXP-KB979559-x86-ENU.exe
• Patches for Vista, 7, 8, 10, and Server 2008/2012/2016
have .msu extensions
• For example, Windows6.0-KB979559-x86.msu
• Extraction methods differ slightly, as to the contents of each
package
Extraction Tool for .msu Patches

Update File
• expand –F:* <.msu file> <dest>
c:\derp\MS16-106\Patched>expand -F:* Windows6.1-KB3185911-x86.msu .
Microsoft (R) File Expansion Utility Version 6.1.7600.16385
Copyright (c) Microsoft Corporation. All rights reserved.

Adding .\WSUSSCAN.cab to Extraction Queue

Adding .\Windows6.1-KB3185911-x86.cab to Extraction Queue
Adding .\Windows6.1-KB3185911-x86-pkgProperties.txt to Extraction Queue
Adding .\Windows6.1-KB3185911-x86.xml to Extraction Queue

Expanding Files ....

Expanding Files Complete ...

4 files total.
Cabinet File Contents

• We are interested in .cab files

c:\derp\MS16-106\Patched>expand -F:* Windows6.1-KB3185911-x86.cab .

#Output truncated for space…

c:\derp\MS16-106\Patched>dir /s /b /o:n /ad

c:\derp\MS16-106\Patched\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.
23528_none_cfc274bde4c0ef6f
c:\derp\MS16-106\Patched\x86_microsoft-windows-win32k_31bf3856ad364e35_6.1.7601.
23528_none_bb7d823711eb39fd

We can see that one directory contains a patch to

user32.dll and the other win32k.sys
The Patched File

• Examining folder contents

c:\derp\MS16-106\Patched>cd x86_microsoft-windows-user32_31bf3856ad364e35_6.1.76
01.23528_none_cfc274bde4c0ef6f

c:\derp\MS16-106\Patched\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.
23528_none_cfc274bde4c0ef6f>dir
Volume in drive C has no label.
Volume Serial Number is CEF2-482A

Directory of c:\derp\MS16-106\Patched\x86_microsoft-windows-user32_31bf3856ad36
4e35_6.1.7601.23528_none_cfc274bde4c0ef6f

01/31/2017 12:57 PM <DIR> .

01/31/2017 12:57 PM <DIR> ..
08/15/2016 06:48 PM 811,520 user32.dll Patched File
1 File(s) 811,520 bytes
2 Dir(s) 161,884,778,496 bytes free
Extracting Cumulative Updates

• As mentioned previously, patches are now cumulative and

contain all updates for the OS version
• This *can* make for very large update files that contain hundreds of files
• Mapping an extracted file to the right Knowledge Base (KB) number is
difficult
• Greg Linares (@Laughing_Mantis) wrote some PowerShell
scripts to help with this problem
• The concept is quite simple, using the modified data on the updates to
identify files that have changed within the last 30 days
• They are then placed into unique directories and cleanup is performed
• You still need to determine which file correlates to which advisory, but the
process is much easier
16
Obtaining a Cumulative Update for Windows 10

• The following screenshot shows the cumulative update file for

April, 2017

…but, Window 7’s update is just around 100mb Very large files

17
PatchExtract

• Now that we have the updated downloaded, let’s extract it with

PatchExtract13 from Greg Linares
c:\Patches\MS17-JAN\x86>Powershell -ExecutionPolicy Bypass -File c:\Patches\Patc
hExtract13.ps1 -Patch windows10.0-kb3210720-x86_04faf73b558f6796b73c2fff1442561
22f4e36a9.msu -Path c:\Patches\MS17-JAN

• The above command looks quite long, but much of that is due to the long
.msu filename
• This command took ~10 minutes to complete on the 500MB file
• It extracted every folder and file from the cumulative update and
resulted in an enormous number of folders
• When randomly looking at a couple of the modified dates on
some patched files, many dated all the way back to 2015
18
PatchClean

• We will now clean up the enormous output and list only the files
changed within the past 30 days
c:\Patches\MS17-JAN\x86>Powershell -ExecutionPolicy Bypass -File c:\Patches\Patc
hClean.ps1 -Path c:\Patches\MS17-JAN\x86\

#Lots of output that has been truncated for space…

==========================================================
Low Priority Folders: 1020
Low Priority Files: 3810
High Priority Folders: 16

• As you can see, PatchClean has identified 16 folders whose

contents have changed within the last 30 days
• This saves us a TON of time!
19
PatchExtract / PatchClean Demonstration

• Extracting the April, 2017 Update

20
Patch Extraction Results

21
Mapping a Patched File to the Security Advisory

• MS17-001 says:

c:\Patches\MS17-JAN\x86>cd ie-htmlrendering_11.0.10240.17236

c:\Patches\MS17-JAN\x86\ie-htmlrendering_11.0.10240.17236>dir
Volume in drive C has no label.
Volume Serial Number is 6681-3E06

Directory of c:\Patches\MS17-JAN\x86\ie-htmlrendering_11.0.10240.17236

01/10/2017 05:01 PM <DIR> .

01/10/2017 05:01 PM <DIR> ..
12/21/2016 12:00 AM 18,796,032 edgehtml.dll
1 File(s) 18,796,032 bytes
2 Dir(s) 45,532,430,336 bytes free
22
Patch Diffing

• Security patches are often made to applications, DLLs, driver

files, and shared objects
• When a new version is released, it can be difficult to locate what
changes were made
• Some are new features or general application changes
• Some are security fixes
• Some changes are intentional to thwart reversing
• Some vendors make it clear as to reasoning for the update to the
binary
• Binary diffing tools can help you locate the changes
Binary Diffing Tools

• The following is a list of well-known binary diffing tools:

• Zynamics/Google’s BinDiff: Free as of March 18, 2016!
• Core Security’s turbodiff: Free
• DarunGrim 4 by Jeongwook Oh: Free
• patchdiff2 by Nicolas Pouvesle: Free
• Diaphora by Joxean Koret
• There are more
Example of BinDiff Results

25
Example of a Patched Vulnerability – MS16-009

Unpatched

Patched

26
MS16-009 Demonstration

27
MS17-010

• Critical SMB vulnerabilities disclosed

• Patch Tuesday in February delayed until March

28
MS17-010 BinDiff Demo

29
An oldie but goodie…

• If we have time, a quick demo of an older and simple, but very

clear vulnerability in MS07-017…

30
Thanks!

Stephen Sims
@Steph3nSims
[email protected]

The recorded presentation is available at:

https://www.youtube.com/watch?v=LHNcBVQF1tM

http://www.irongeek.com/i.php?page=videos/bsidescharm2017/bs
idescharm-2017-t111-microsoft-patch-analysis-for-exploitation-
stephen-sims
31