Researchers from Check Point have disclosed the details of the vulnerability in Windows Deployment Services (WDS) that could allow attackers to hijack Windows server installations and to deploy backdoored Windows OS versions.
Worth noting - The vulnerability affects all Windows servers 2008 and later and the WDS component. The bug has been patched by Microsoft in November.
The big picture - Windows Deployment Services (WDS) is used by organizations to install customized operating systems on new machines in the network. Windows Deployment Services uses PXE (Preboot eXecution Environment ) server to assist clients in performing a network boot and receiving a Network Boot Program (NBP) from a network boot server.
However, to transfer an NBP, the PXE server uses the Trivial File Transfer Protocol (TFTP). TFTP is an older version of the FTP protocol and lacks advanced features offered by FTP.
How does it work - Check Point researchers fuzz tested the TFTP protocol’s implementation into WDS and detected that attackers could create malformed packets that would trigger malicious code execution on Windows servers receiving responses from PXE servers. Attackers could relay these malformed TFTP packets to compromise Windows servers.
“There isn't a problem in the TFTP protocol itself, only in its implementation by this service, Theoretically if the server is exposed externally this should work as well, but this service is usually used from within a LAN,” Omri Herscovici, a security researcher at Check Point told ZDNet.
“The main attack flow is a port-in-the-wall type of breach. It's when an attacker physically connects his laptop to a network port inside the company - which is a common scenario,” Herscovici added.
Once the Windows Server is compromised, attackers could then abuse the WDS service to deploy backdoored Windows versions to local systems.
“WDS is a popular Windows server service that is widely used for the installation of image distribution. Its underlying PXE server had a critical remotely triggered use-after-free bug that can be potentially exploited by an unauthenticated attacker,” Check Point researchers described in a blog.