wsusscn2.cab signature verification failure

Re: wsusscn2.cab signature verification failure

Postby psloss » 18.11.2016, 21:35

I see that there's a new CAB file being offered, at least by footprint.net, so the following has been superseded to some degree:

hbuhrmester wrote:I suspect, that ETags with the prefix W/ indicate some intermediate state.

The footprint.net servers use those "weakly validating" ETags either way, so even the properly signed CAB file from 9 November has one. The footprint.net servers also don't appear to honor a "If-None-Match" header in the client request.

As noted in a previous post, the BAD footprint.net ETag is:

ETag: W/"9e7be538b53ad21:0"
MD5: 44B1480711F3C34F961071129EB369FE
SHA1: 3BD278A95004CA6AB4CA5CB953F46015E2BC08DA
SHA256: 52670BBEA050716F838848B3FC28CE7BBEBF3EBFCD3CC4BE3473992AED74B386

But footprint.net was also serving the good one, same as the old two content distribution networks:

ETag: W/"fb5afe38b53ad21:0"
MD5: 145A3BC4BE51765D3470FCFF1F7BDCCF
SHA1: 02CEB8F53B165C2AA8BDE161C8C635252473D22B
SHA256: 65AE858E88854A78F5EB545D69E9CDCA6BA47A24AB73E356CE8458EDEF50BC8A

Unfortunately, the bad file appears to be far more prevalent than the good one; however, both files are the same 201419112-byte size.

Update -- the Last-Modified time was touched in the last several hours; however, the signed CAB file content is the same, with the same 9 November signing timestamp. Sadly, the footprint.net servers have new content, but that new content is still useless because that CAB is still not signed correctly.
psloss
 
Posts: 14
Joined: 14.05.2016, 15:10

Re: wsusscn2.cab signature verification failure

Postby Con » 21.11.2016, 21:22

pentup wrote:I was able to download a signed copy today from windows update at the following link.

http://download.windowsupdate.com/micro ... usscn2.cab

I've also stashed a copy on Mega just in case.

https://mega.nz/#!EVJFjBAT!P_8f0FbPfTBe ... Kf0eCrEwRU


Made an account just to say you're a goddamn hero :lol:
Con
 

Re: wsusscn2.cab signature verification failure

Postby boco » 21.11.2016, 22:05

MS might not be amused, however. They are generally grumpy with files offered from outside their servers.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2323
Joined: 24.11.2009, 17:00
Location: Germany

Re: wsusscn2.cab signature verification failure

Postby psloss » 22.11.2016, 03:00

It appears that the footprint.net distribution may be fixed for the time being and will serve the correct file that was signed on 9 November.

(Unfortunately, the acronym SNAFU comes to mind; I expect downloading this CAB file from Microsoft's content distribution network to be an unreliable adventure more often than not going forward.)

I got a different response from one of their servers a few minutes ago:
Code: Select all
HTTP/1.1 200 OK
Date: Tue, 22 Nov 2016 01:39:55 GMT
Content-Type: application/vnd.ms-cab-compressed
Content-Length: 201419112
Connection: keep-alive
Cache-Control: max-age=0
Pragma: no-cache
ETag: "805484fdc041d21:0"
Expires: Tue, 22 Nov 2016 01:39:55 GMT
Last-Modified: Fri, 18 Nov 2016 17:27:09 GMT
Server: Footprint Distributor V4.11
MSRegion: N. America
x-ccc: US
x-cid: 3
X-Powered-By: ASP.NET
Age: 0
Accept-Ranges: bytes

The ETag now matches the other two distribution networks and the downloaded file has the same hash. Here's a dump from the signtool.exe binary:
Code: Select all
X:\CertFileDump>signtool-W10.x64.exe verify /all /pa /v /debug wsusscn2.cab

Verifying: wsusscn2.cab
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE1581465588F0A1720103CB07F4D0F7C23D62EF

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Code Signing PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Mon Aug 31 22:29:32 2020
        SHA1 hash: 3CAF9BA2DB5570CAF76942FF99101B993888E257

            Issued to: Microsoft Corporation
            Issued by: Microsoft Code Signing PCA
            Expires:   Thu Nov 02 20:17:17 2017
            SHA1 hash: 98ED99A67886D020C564923B7DF25E9AC019DF26

The signature is timestamped: Wed Nov 09 03:32:39 2016
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Time-Stamp PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Sat Apr 03 13:03:09 2021
        SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA
            Expires:   Fri Sep 07 17:58:54 2018
            SHA1 hash: 692A53F2A4C2241A93157877BAFF19F7412D2982

Signature Index: 1
Hash of file (sha256): 6E43F828F129ADCA79A051C1ADE57AAD26BFFB17C0BCC9B32EF4E2C381B73627

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority 2011
    Issued by: Microsoft Root Certificate Authority 2011
    Expires:   Sat Mar 22 22:13:04 2036
    SHA1 hash: 8F43288AD272F3103B6FB1428485EA3014C0BCFE

        Issued to: Microsoft Code Signing PCA 2011
        Issued by: Microsoft Root Certificate Authority 2011
        Expires:   Wed Jul 08 21:09:09 2026
        SHA1 hash: F252E794FE438E35ACE6E53762C0A234A2C52135

            Issued to: Microsoft Corporation
            Issued by: Microsoft Code Signing PCA 2011
            Expires:   Sat Jan 28 20:31:46 2017
            SHA1 hash: 54DA79490495AA6D7898B183D86EA600E3FC5EBF

The signature is timestamped: Wed Nov 09 03:32:43 2016
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Sat Jun 23 22:04:01 2035
    SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

        Issued to: Microsoft Time-Stamp PCA 2010
        Issued by: Microsoft Root Certificate Authority 2010
        Expires:   Tue Jul 01 21:46:55 2025
        SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA 2010
            Expires:   Fri Sep 07 17:56:57 2018
            SHA1 hash: BDFFC5956390F1139C60D619C0AFE9B89E1E201D


Successfully verified: wsusscn2.cab

Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
psloss
 
Posts: 14
Joined: 14.05.2016, 15:10

Re: wsusscn2.cab signature verification failure

Postby hbuhrmester » 22.11.2016, 18:02

I noticed the same: on 19 and 20 November I got two new files:

Code: Select all
HTTP/1.1 200 OK
Date: Sat, 19 Nov 2016 12:58:04 GMT
Content-Type: application/vnd.ms-cab-compressed
Content-Length: 201419112
Connection: close
Cache-Control: max-age=0
Pragma: no-cache
ETag: "73fb491c241d21:0"
Expires: Sat, 19 Nov 2016 12:58:04 GMT
Last-Modified: Fri, 18 Nov 2016 17:34:24 GMT
Server: Footprint Distributor V4.11
MSRegion: EMEA
x-ccc: DE
x-cid: 3
X-Powered-By: ASP.NET
Age: 0
Accept-Ranges: bytes


and:

Code: Select all
HTTP/1.1 200 OK
Cache-Control: max-age=0
Pragma: no-cache
Content-Length: 201419112
Content-Type: application/octet-stream
Last-Modified: Fri, 18 Nov 2016 17:27:09 GMT
Accept-Ranges: bytes
ETag: "805484fdc041d21:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-CID: 7
X-CCC: US
X-MSEdge-Ref: Ref A: F51FBF64E0CD4B6A82361A6DF1141842 Ref B: 636291E8877D16A814739EC391563D67 Ref C: Sun Nov 20 06:14:40 2016 PST
Date: Sun, 20 Nov 2016 14:14:40 GMT


Both files are actually identical; they have the same valid digital file signature and the same file hashes:

Code: Select all
Sigcheck v2.1 - File version and signature viewer
Copyright (C) 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

D:\WSUS Offline Update\2016-11-18_17-34-24_GMT\wsusscn2.cab:
    Verified:       Signed
    Signing date:   04:32 09.11.2016
    Publisher:      Microsoft Corporation
    Description:    n/a
    Product:        n/a
    Prod version:   n/a
    File version:   n/a
    MachineType:    n/a
    MD5:    145A3BC4BE51765D3470FCFF1F7BDCCF
    SHA1:   02CEB8F53B165C2AA8BDE161C8C635252473D22B
    PESHA1: EE1581465588F0A1720103CB07F4D0F7C23D62EF
    PE256:  n/a
    SHA256: 65AE858E88854A78F5EB545D69E9CDCA6BA47A24AB73E356CE8458EDEF50BC8A


It's the same file I got earlier this month on 10 November:

Code: Select all
HTTP/1.1 200 OK
Date: Thu, 10 Nov 2016 23:26:59 GMT
Content-Type: application/octet-stream
Content-Length: 201419112
Connection: close
Cache-Control: max-age=0
Pragma: no-cache
ETag: "817d2250b53ad21:0"
Expires: Thu, 10 Nov 2016 23:26:59 GMT
Last-Modified: Wed, 09 Nov 2016 18:15:55 GMT
Server: Footprint Distributor V4.11
MSRegion: EMEA
x-ccc: DE
x-cid: 3
X-Powered-By: ASP.NET
Age: 0
Accept-Ranges: bytes


Again, the digital file signature and the file hashes are the same as the two other files. So now I have three identical files, only with different Last-Modified dates and ETags.
hbuhrmester
 
Posts: 459
Joined: 11.10.2013, 20:59

Re: wsusscn2.cab signature verification failure

Postby psloss » 23.11.2016, 04:36

I have my suspicions about the nature of the bad content that was being served up, but hopefully there will be some actual diligence paid by Microsoft (and/or their subcontractors) to consistently publishing valid content...given all the cost-cutting and quality control reductions-in-force, my expectations remain low. I'd much rather be a stockholder than a customer these days.

At least now there are some alternatives when they screw up again...if there are issues, when I see this in the response headers I'll assume the worst:
Code: Select all
Server: Footprint Distributor V4.11
psloss
 
Posts: 14
Joined: 14.05.2016, 15:10

Re: wsusscn2.cab signature verification failure

Postby psloss » 14.12.2016, 00:26

It's still barely Patch Tuesday, even in the UTC time zone, and there's a new wsusscn2.cab file, but same replication problem with footprint.net servers. Here are the parameters for the new signed CAB file. The file size is 206689966 bytes:
Code: Select all
MD5:    E8FB1DCAF682436FD0028D4B7A1F0E92
SHA1:   E1D9495596108C673E29A0019ACDBFEFFF279F49
PESHA1: 53D886D10A7C7289F960F4CD0BFA7D66CE340433
PE256:  002C3AB1FD70D2E40F5951A2981A5DD9496114AC8A33ED9077023E467DCF665F
SHA256: 06BEE0C805F38B94C3E1F929B8AE75644FD5A4B5F8E1E65D72A862BA0D70DCD9

sha1/pesha1 signature timestamp:   Tue Dec 13 16:48:39 2016
sha256/pe256 signature timestamp: Tue Dec 13 16:48:51 2016

The DNS mappings have not changed and since I'm stuck by default with the download.windowsupdate.com name being mapped to the broken footprint.net distribution network, I downloaded the good one by using the Host header substitution "method" noted in an earlier post. Here's the "good" response headers:
Code: Select all
HTTP/1.1 200 OK
Cache-Control: max-age=0
Connection: close
Date: Tue, 13 Dec 2016 23:18:28 GMT
Pragma: no-cache
Content-Length: 206689966
Content-Type: application/vnd.ms-cab-compressed
Last-Modified: Tue, 13 Dec 2016 21:03:04 GMT
Accept-Ranges: bytes
ETag: "034a04b8455d21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-CID: 7
X-CCC: US
X-MSEdge-Ref: Ref A: DA4AE94033BE4FA4A8E1C60FD4B798FC Ref B: 3A3D2E1D6E4B1830EEAF498B92A31C40 Ref C: Tue Dec 13 15:18:29 2016 PST

Here's the full signtool dump output:
Code: Select all
signtool-W10.x64.exe verify /all /pa /v /debug E1D9495596108C673E29A0019ACDBFEFFF279F49.bin

Verifying: E1D9495596108C673E29A0019ACDBFEFFF279F49.bin
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 53D886D10A7C7289F960F4CD0BFA7D66CE340433

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Code Signing PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Mon Aug 31 22:29:32 2020
        SHA1 hash: 3CAF9BA2DB5570CAF76942FF99101B993888E257

            Issued to: Microsoft Corporation
            Issued by: Microsoft Code Signing PCA
            Expires:   Thu Nov 02 20:17:17 2017
            SHA1 hash: 98ED99A67886D020C564923B7DF25E9AC019DF26

The signature is timestamped: Tue Dec 13 16:48:39 2016
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Time-Stamp PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Sat Apr 03 13:03:09 2021
        SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA
            Expires:   Fri Sep 07 17:58:52 2018
            SHA1 hash: 7BA57715B0F79CA2CF921E5F2A72BE11C2FADC67

Signature Index: 1
Hash of file (sha256): 002C3AB1FD70D2E40F5951A2981A5DD9496114AC8A33ED9077023E467DCF665F

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority 2011
    Issued by: Microsoft Root Certificate Authority 2011
    Expires:   Sat Mar 22 22:13:04 2036
    SHA1 hash: 8F43288AD272F3103B6FB1428485EA3014C0BCFE

        Issued to: Microsoft Code Signing PCA 2011
        Issued by: Microsoft Root Certificate Authority 2011
        Expires:   Wed Jul 08 21:09:09 2026
        SHA1 hash: F252E794FE438E35ACE6E53762C0A234A2C52135

            Issued to: Microsoft Corporation
            Issued by: Microsoft Code Signing PCA 2011
            Expires:   Sat Jan 28 20:31:46 2017
            SHA1 hash: 54DA79490495AA6D7898B183D86EA600E3FC5EBF

The signature is timestamped: Tue Dec 13 16:48:51 2016
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Sat Jun 23 22:04:01 2035
    SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

        Issued to: Microsoft Time-Stamp PCA 2010
        Issued by: Microsoft Root Certificate Authority 2010
        Expires:   Tue Jul 01 21:46:55 2025
        SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA 2010
            Expires:   Fri Sep 07 17:56:49 2018
            SHA1 hash: 35E4A3FB4E3FFF260D71F56D5E127B919638A68D


Successfully verified: E1D9495596108C673E29A0019ACDBFEFFF279F49.bin

Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
Last edited by psloss on 15.12.2016, 18:36, edited 2 times in total.
psloss
 
Posts: 14
Joined: 14.05.2016, 15:10

Re: wsusscn2.cab signature verification failure

Postby psloss » 14.12.2016, 15:09

This might be an improvement, maybe only a temporary improvement: it looks like the footprint.net network was dropped from distribution via a DNS change overnight. (Overnight U.S. time.)

Additionally, the footprint servers appear to be actually unhooked; random sample returns a 503 status code:
Code: Select all
HEAD /microsoftupdate/v6/wsusscan/wsusscn2.cab HTTP/1.1
Host: download.windowsupdate.com
Cache-Control: no-cache
Pragma: no-cache
Connection: Close

Response headers:
HTTP/1.1 503 Service Temporarily Unavailable
Connection: close
Date: Wed, 14 Dec 2016 14:14:43 GMT
Content-Length: 206
Content-Type: text/html
Server: nginx

Remote socket addr: 8.254.194.222:80

download.windowsupdate.com continues to initially point to a CNAME record of "2-01-3cf7-0009.cdx.cedexis.net"; however, I am not seeing that pointing to CNAME records that point to footprint.net.

Today so far, seeing two CNAMEs noted last month: download.windowsupdate.com.edgesuite.net and b1ns.au-msedge.net.

Given this is probably the peak monthly load on the servers, it's understandable that one might want the distribution to, you know, work. (Not that I'm cynical, of course.) Once we get over the hump in the load curve, I wouldn't be surprised if Microsoft switches back to the more affordable, but useless networks.
Last edited by psloss on 15.12.2016, 18:37, edited 1 time in total.
psloss
 
Posts: 14
Joined: 14.05.2016, 15:10

Re: wsusscn2.cab signature verification failure

Postby psloss » 14.12.2016, 19:08

psloss wrote:This might be an improvement, maybe only a temporary improvement: it looks like the footprint.net network was dropped from distribution via a DNS change overnight. (Overnight U.S. time.)

Sadly it was more temporary than I thought: already starting to see download.windowsupdate.com CNAME responses with footprint.net in them and that network is still hosting garbage for the CAB file (in contrast to last month, I'm ONLY seeing garbage from footprint.net).

If you run into this issue where you get CAB file that is not verified, there are still two CNAME alternatives that can work with a Host header substitution:

1. download.windowsupdate.com.edgesuite.net
2. b1ns.au-msedge.net
Last edited by psloss on 15.12.2016, 18:43, edited 1 time in total.
psloss
 
Posts: 14
Joined: 14.05.2016, 15:10

Re: wsusscn2.cab signature verification failure

Postby psloss » 15.12.2016, 18:42

I made a mistake in a few of the last posts, confusing download.microsoft.com with download.windowsupdate.com; the former is not relevant. The logs were correct, but I updated the recent posts. So basically we're back to this time last month: the footprint.net distribution is completely broken, but the valid, signed CAB file can be downloaded manually from the other two distribution networks.
psloss
 
Posts: 14
Joined: 14.05.2016, 15:10

PreviousNext

Return to Download

Who is online

Users browsing this forum: Google [Bot] and 11 guests