WDS bug lets hackers hijack Windows Servers via malformed TFTP packets

Last warning to apply Microsoft's November security updates for Windows Servers.
Written by Catalin Cimpanu, Contributor
Windows Server logo
Logo: Microsoft // Composition: ZDNet

In a report released today, security researchers have finally revealed in-depth details about a bug that Microsoft patched last November, and which they say can allow hackers to hijack Windows Server installations and abuse the Windows Deployment Services (WDS) to take over the server and even deploy backdoored Windows OS versions.

According to Check Point, the vulnerability affects all Windows Servers 2008 SP2 and later, and impacts the WDS component included with these systems.

WDS is what enterprise system administrators use to deploy Windows operating systems across a fleet of computers from a central location --a Windows Server OS where the WDS service runs.

At the technical level, this is done by running a Network Boot Program (NBP) that sends pre-boot messages to the PXE (Preboot eXecution Environment) of local workstations.

These interactions between the server and workstations are carried out via TFTP, which stands for Trivial File Transfer Protocol, an older and insecure version of the FTP protocol.

In a technical write-up published today, Omri Herscovici, a security researcher at Check Point Software, said that last year he looked into how Microsoft had implemented this protocol into WDS.

The researcher's report reveals the actual bug at the heart of CVE-2018-8476, the vulnerability that Microsoft patched last November.

"There isn't a problem in the TFTP protocol itself, only in its implementation by this service," Herscovici told ZDNet via email.

After fuzzing the protocol's implementation into WDS, the researcher found that he could create malformed packets that would trigger malicious code execution on Windows Server instances receiving responses from PXE workstations.

Any attacker on the local network, either physically or having control over an infected workstation, could relay these malicious TFTP packets, and effectively take over the Windows Server, Herscovici argued.

"Theoretically if the server is exposed externally this should work as well, but this service is usually used from within a LAN," the researcher told ZDNet.

"The main attack flow is a port-in-the-wall type of breach. It's when an attacker physically connects his laptop to a network port inside the company - which is a common scenario," he said.

If attackers take over the Windows Server, they have full control over the entire local network, and could easily use the same WDS service to deploy backdoored Windows versions to local systems.

Neither Microsoft nor Herscovici are aware of any attacks during which hackers have tried to exploit this vulnerability, but with Herscovici's write-up now generally available, this might change in the coming months.

If any Windows Server administrators have delayed installing the November 2018 security updates due to various incompatibilities, this might be a good time to catch up on their patching efforts. There are no workarounds or mitigations outside installing the security patch.

High-performance storage: From flash drives to server hard drives (April 2018 edition)

More vulnerability reports:

Editorial standards