Linux on Windows Exposes a New Attack Surface

An anonymous Slashdot reader writes: The Linux in Windows 10 isn't running inside of a hypervisor; it's "running on the raw hardware, getting all the benefits of performance and system access, as well as expanding the potential attack surface." eWeek reports on a new threat discovered by Alex Ionescu, the chief architect at cybersecurity company Crowdstrike, which begins with the fact that "The Windows file system is also mapped to Linux, such that Linux will get access to the same files and directories."

Ionescu says "There are a number of ways that Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows." According to eWeek, "The modified Linux code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated." Ionescu describes it as "a two-headed beast that can do a little Linux and can also be used to attack the Windows side of the system."

Big, fat, NO FREAKIN' DUH!

[Dog-Cow]

If the Linux personality has the same level of access to the kernel as the Windows personality, then this is a natural consequence. It's the same as if MS added a dozen new win32/64 APIs that could be exploited by apps with appropriate privileges. New code, new bugs. Total non-story.

Re:Big, fat, NO FREAKIN' DUH!

[redmid17]

I'm glad you beat me to typing "NO SHIT".

Next story we're gonna get is, "If you install a database or 3rd party program, the attack vector gets larger!"

Re:Big, fat, NO FREAKIN' DUH!

[BarbaraHudson]

It's not even that. You are NOT running linux under windows. There is no such thing. Even Canonical admits that. It's just parts of the Ubuntu user space. No linux kernel. No vm. No container. Nada. Think of wine in reverse.

Linus (or rather, the linux foundation) should sue for slander for anyone calling it "linux under windows."

Re:Big, fat, NO FREAKIN' DUH!

[retchdog]

I'd just like to interject for moment. What you're referring to as Linux, is in fact, GNU/Windows, or as I've recently taken to calling it, GNU plus Windows. Linux is not an operating system unto itself, but rather another possible alternative for a fully functioning system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as (sort of) defined by POSIX. This so-called Linux distribution is really a distribution of GNU/Windows!

Re:Big, fat, NO FREAKIN' DUH!

Anyone who wants to learn more about this can read up on the Windows Subsystem for Linux. Quoting from the linked overview:

WSL executes unmodified Linux ELF64 binaries by virtualizing a Linux kernel interface on top of the Windows NT kernel. [...] The Windows Subsystem for Linux includes kernel mode drivers (lxss.sys and lxcore.sys) that are responsible for handling Linux system call requests in coordination with the Windows NT kernel. The drivers do not contain code from the Linux kernel but are instead a clean room implementation of Linux-compatible kernel interfaces.

-PCP

Re: Big, fat, NO FREAKIN' DUH!

It's not fucking Linux unless it runs the Linux kernel.

Re:Big, fat, NO FREAKIN' DUH!

[Opportunist]

ANY program you install that even remotely thinks about accepting input in any way is a potential attack vector. Why do you think anyone who has even a passing interest in his computer's security is up in arms about all the "free" crapware programs delivered with a new laptop?

Re:Big, fat, NO FREAKIN' DUH!

[Opportunist]

You traded systemd for Windows. Are you still dancing? Or is that just you trying to get your feet away from the hot red coals?

Re:Big, fat, NO FREAKIN' DUH!

Ummm no, this is explicitly /not/ what Cygwin does. Cygwin provides a Unix-style /API/, not a Linux /ABI/. You can't run an unmodified Linux binary under Cygwin, you get to recompile your source.

Re:Big, fat, NO FREAKIN' DUH!

[Dr.Dubious+DDQ]

The kernel is actually "NT", I believe.

Therefore, it really ought to be "GNU/NT" (pronounced "guh-nunt", because that amuses me for some reason.)

Re: Big, fat, NO FREAKIN' DUH!

[Vitus+Wagner]

It is really a GNU subsystem for Windows.

Re: Big, fat, NO FREAKIN' DUH!

it's really just another attempt by microsoft to sour the reputation of linux.

Re:Big, fat, NO FREAKIN' DUH!

[bev_tech_rob]

"GNU rootkit for Windows"

Has a nice ring to it.

No kidding! LOL. Anyhow, the Linux subsystem is not enabled by default (at least mine wasn't) after the Anniversary Update and you have to jump through a couple of hoops to get it going. Hopefully will be a non-issue and whomever DOES enable that will take the appropriate precautions.

Re: Big, fat, NO FREAKIN' DUH!

[Junta]

Actually, it's not GNU either. It's an implementation of Linux kernel system calls. It only becomes GNU-ish after installation of Ubuntu libraries.

It's not a Linux kernel, it's not an emulator, it's an alternative implementation of Linux system calls.

Re: Big, fat, NO FREAKIN' DUH!

[danbob999]

Exactly, but with the stupid "Bash On Ubuntu On Windows" name.

Re: Big, fat, NO FREAKIN' DUH!

[danbob999]

it's not a POSIX interface, it runs native Linux (not BSD, not OS X, not other POSIX OS) AMD64 binaries

Re: Big, fat, NO FREAKIN' DUH!

[almitydave]

Exactly, but with the stupid "Bash On Ubuntu On Windows" name.

Acronym is "BOUOW", pronounced "bow-wow".

Re: Big, fat, NO FREAKIN' DUH!

[danbob999]

They also call the underlying technology "Windows Subsystem for Linux (WSL)", while performing the exact opposite (it is a Linux Subsystem for Windows).
I guess it is what you must expect from a company placing all 64-bit files in System32 and 32-bit files in SysWOW64. And where x64 is greater than x86. x86-64 was too long so they removed a few characters.

Clickbait

[real+gumby]

What kind of "new threat" is this? All he's saying is that running code on a machine can have affect its state.

*yawn*

[jargonburn]

The Server Application in Windows 10 isn't running inside of a hypervisor; it's "running on the OS, getting all the benefits of performance and system access, as well as expanding the potential attack surface." eWeek reports on a new threat discovered by Alex Ionescu, the chief architect at cybersecurity company Crowdstrike, which begins with the fact that "The Windows file system is also mapped to the Server Application, such that the Server Application will get access to [...] files and directories."

Ionescu says "There are a number of ways that Windows applications could inject code, modify memory and add new threats to the Server Application running on Windows." According to eWeek, "The modified Server Application code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated."

I'll Tell you what else increase your attack surface: Turning the computer on.
Didn't RTFA (naturally!), but the summary fails to convince me that this is more than incrementally worse than running...well...MOST applications that do anything useful on Windows.

Re: *yawn*

[Drumhellar]

This is how UIDs are mapped: Each windows user gets their own copy of Ubuntu installed, located in %LOCALAPPDATA%\lxss. Users exist entirely within the individual Ubuntu installs, so a Windows user can have multiple Linux users within his own virtual Linux filesystem. Files created outside of the Linux environment all have a UID and GID of 0, while the initial default user has a UID and GID of 1000. Only files created within that Windows Users's Ubuntu install have UIDs known to their own Linux install. Of course, this is just how it looks to Linux programs. It is still ultimately limited by the Windows User's own individual permissions throughout the rest of the Windows system.

Re: *yawn*

[tlhIngan]

The first thing that comes to my mind is wondering how MS mapped windows users to linux UIDs. When linux is allowed to access the filesystem there could be all sorts of things to abuse in the permission translation. I would be interested in an article describing the design decisions though, instead of one generically predicting doom and gloom.

Probably some mapping of the user SID to a UID is my guess. After all, the UID is just a user representation, and internally it gets translated into a normal Windows SID that the kernel uses for all actions.

Honestly, it's a load of hyperbole. The Linus subsystem is not running Linux. It's running the Windows kernel, and the kernel is enforcing all the standard security mechanisms it always had. If you can't write to a file in Windows, you certainly can't on Linux subsystem. (All of Windows' security is enforced in the kernel anyways).

The Linux subsystem is only a bit more than the standard subsystem mechanism on NT - you know, the ones that could run Win32, OS/2 and POSIX apps? Each one of those is a separate subsystem, and because of that, there were pesky limitations (POSIX applications can't interact with Win32, because the only commonality is... the kernel).

What Windows 10 can do is run Linux userspace binaries by emulating the Linux syscall interface. It's no different than the FreeBSD mechanism that existed for years.

Hell, if you want to get technical, call it GNU/NTOSKRNL. That's all it is. It can run Linux binaries on Windows, in this case, Ubuntu 14.04.

Re: *yawn*

[Drumhellar]

Security wise, it means little. Each Windows user has his own private copy of the Linux environment. UIDs and GIDs are enforced in a standard Linux way, so no using the default user to create files owned by root in the virtual filesystem. Outside of the Linux environment, everything appears to be owned by root, and files created are owned by root - the same as if you mounted a FAT32 volume under Linux, but gave users write access to the volume. However, there is still per-file and per-directory read/write permissions, so as a Linux user, you can still access your Windows user files (Since you have read/write access), but are still denied those privileges to the files of other Windows users. A true "root" user only exists within that Linux environment, and only matters within the virtual FS provided by the Linux subsystem. Ultimately, everything is still governed by Windows' own security, and Linux subsystem and everything it does ultimately only has access that the Windows user has access to. There is no method for privilege escalation, either, barring any bugs in the Windows kernel components.

Nice Try. Let me correct you.

[Hylandr]

a two-headed beast that can do a little Linux and can also be used to attack the Linux side of the system.

FTFY

Crazy Talk

[frovingslosh]

This is just crazy talk. If I'm running Windows I obviously don't care about security.

Don't run root

[Billly+Gates]

Just like Linux you need to have special privileges to change anything important with the ACL lists of NTFS just like ext3.

I highly doubt malware will target this. I mean besides those using SQL insertion exploits for server databases no one targets Linux on the desktop. No one is going to be running a server with this anyway.

Re:Don't run root

[Antique+Geekmeister]

What they can, and will, target is privileged credentials in the user's home directory. Linux users, for example, sometimes keep SSH private keys or GPG keys in their home directory. Those now become vulnerable to Windows tools that are poorly secured and allow filesystem access to well defined home directory locations.

Conversely, many careless Windows users run their personal user account with Administrator privileges on their Windows machine, to make certain types of work easier. This makes Linux hosted attack vectors, such as running an SSH daemon, or SFTP, expose critical parts of the native Windows filesystems that the owner of the system may not have thought about.

It's also very much the same problem that CygWin and Windows have shared for years, so it's not a very new attack vector.

Re:Hack WIndows, then Linux to access Windows?

[The+MAZZTer]

mzzt@TEMPE:/mnt/c/Windows$ touch ./test
touch: cannot touch ‘./test’: Permission denied

Doesn't seem to be a problem from that angle at least. Sounds like FUD.

While in the Real World, WSL is contained

[CrashNBrn]

Windows Subsystem for Linux processes cannot directly interact with either the win32 subsystem or processes.

Windows Subsystem for Linux Overview [img] :: https://msdnshared.blob.core.windows.net/media/2016/04/LXSS-diagram-1024x472.jpg or WSL System Calls & [img] :: https://msdnshared.blob.core.windows.net/media/2016/06/syscall_graphic.png

Re:Hack WIndows, then Linux to access Windows?

[arth1]

You're a regular user and don't have write access to the Windows directory - I don't think that's the problem.

More likely problems are:

- What is "root" mapped to? In windows, an Administrator account does not have full privileges - you need a local or remote system account for that.

- How about setuid and setgid executables? setgid in particular can be problematic, given that Windows doesn't have a concept of both a user owner and a group owner - there's just an owner, and any number of acls.

- Are setfattr and similar commands supported? Windows and Linux stores special privileges as file attributes, and if you can set them, you might open up for gratuitous privilege escalation of the "other" side.

- Are chattr and similar commands supported, and obeyed on the Windows side too? If I "chattr +i file", can I still modify it on the Windows side? Will chattr +d prevent backup?

- Are hardlinks and/or bind mounts now supported? That can give continued access to files or directories after an admin or the system has revoked access to a parent directory.

- What about loop mounts? If supported, I could see vectors of attack, especially through autoplay.

- What about the Windows reserved names, like CON, PRN, NUL, COM1 and such? Linux has no problem with those names.

There's just a lot of stuff to think through, from both a Windows angle and a Unix-like angle. Hopefully, Microsoft has managed to make it safe, two-ways, and let caution prevail over convenience.
But I wouldn't bet my house on it.

Shill

[eWarz]

Very few people (except developers) will have WSL running on their machines. WSL is isolated from Win32 except via FS access. Just based on it's current state, WSL is practically impossible to exploit thansk to it's limitations. Alex Ionescu is (was?) a ReactOS 'developer'. He has a beef against Microsoft. Disclaimer, in a past life, I was a ReactOS core developer for a certain period of time in the late 90s to early 2000s.

Why doesn't anybody get their facts straight?

[rew]

After googling around a bit. stories about running a bash shell on windows pop up.

It isn't "running Linux" on windows. That would imply that there is a Linux kernel running that actually manages hardware. This impression of "running on hardware" is enhanced by the slashdot summary.

None of this. Windows is simply providing those Linux system calls that allows commandline apps to run. A story then mentioned that servers would not run. That's odd: When "bash" runs and say applications like ping, ssh and telnet, you'd have to go to great lengths to prevent another app like "apache" from running.

But if what I hear is true, this is only useful for the most basic of things, no graphical capabilities. I might be an old fart that uses the commandline a lot, but that becomes useful in combination with a bunch of graphical tools that display what I need to know on a graphical screen.

As to security: the implied trick of running a linux kernel that also has access to the windows block devices is very prone to bugs and security issues. But all that is not the case: It's just another program running in an operating system, using a slightly different set of API calls. If the emulated Linux system calls end up calling windows-internal stuff AFTER the "permissions checking" that normal windows calls would do then you have a problem. It tells a lot about how badly windows is layered.

This is not "Linux on Windows"

[Eravnrekaree]

Linux is a kernel. The Linux kernel is not used in this emulation layer, instead it emulates Linux system calls on the Windows kernel. So, there is very little if any Linux in this scheme. Its not Linux.

I don't think this is a wise use of Canonical's resources, a better use would have been greatly enhancing and accelerating Wine development with a goal of getting it to 99% app compatability within 2 years and as well funding a project to provide a driver compatability layer to allow Windows drivers to run on Linux. This would make it easier for people to make a complete move to Linux and to bring their apps and hardware with them, rather than creating a reason for people to stay on Windows.

Re:Hack WIndows, then Linux to access Windows?

[bluefoxlucid]

So, a self-contained system inside a larger system isn't a subsystem?

Implementing such a thing in userland is, in fact, a valid way to make a subsystem. Linux's own dynamic loader is a userspace program (the Linux kernel doesn't know how to load dynamic shared objects); and some systems (e.g. Minix, L4) implement their entire native execution environments and even hardware drivers in userspace.

Besides that,

The Windows Subsystem for Linux includes kernel mode drivers (lxss.sys and lxcore.sys) that are responsible for handling Linux system call requests in coordination with the Windows NT kernel. The drivers do not contain code from the Linux kernel but are instead a clean room implementation of Linux-compatible kernel interfaces. On native Linux, when a syscall is made from a user mode executable it is handled by the Linux kernel. On WSL, when a syscall is made from the same executable the Windows NT kernel forwards the request to lxcore.sys. Where possible, lxcore.sys translates the Linux syscall to the equivalent Windows NT call which in turn does the heavy lifting. Where there is no reasonable mapping the Windows kernel mode driver must service the request directly.

WSL uses a kernel-level interface to perform the actions required to satisfy POSIX and Linux system behaviors. This includes everything from procfs to execve() calls. File system permissions management is handled by kernel-level decisions on whether or not a program's effective permissions and capabilities mesh with the file system ACL (which is stored as extended NTFS attributes).

WSL doesn't use a kernel-level dynamic loader, and neither does Linux; as you pointed out, it loads ELF programs by using a PE executable process to bring the file into memory appropriately, like Wine. It's only necessary to have one type of kernel-level executable; all others can use a userspace loader, which is why Linux proper only supports static-linked executables and calls ld-linux.so to perform dynamic linking.

You appear to have made yet another post full of wrong information just to be aggressive and mean to other people. It's like your whole day revolves around finding ways to be an asshole to everyone else.

Not the whole POSIX.

[DrYak]

So is it essentially a new POSIX interface?

No it's not the whole POSIX interface (that used to exist and be called something along the lines like "Unix Services for Windows", but got in practice over taken in popularity by Cygwin - a translation layer between POSIX source code and regular Win32 interface).

WSL implements only a very small subset of Linux kernel's API calls.
Just barely enough to get some Ubuntu user space running, so you can still use Windows to write and test your code before deploying to some Linux cloud.
(instead of using Mac OS X or a real Linux desktop or a VM like everybody else.

There currently nearly no filesystem support (except for the special drivers that Microsoft has written to support passing Windows's local drivers under Linux).
There is very limited network support (you can run apache and even SSH. But forget about NFS)
There's no media at all (no X. no audio. no USBHID/libinput. nowayland/DRM/Mesa hardware/Whatever. no nothing. Its main purpose is to test linux code before deploying to the cluster, so don't expect anything fancy).
No even fabric dummy drivers (that's a bit limiting for the intended purpose...)
Nothing from the Linux kernel internals (no scheduler, etc.)

So maybe with some extensive hacking you could write a zombie node that can take part in some mass spamming or DDOS.
(Basically, anything that you could implement as a not so fancy network daemon under any other OS).
But that's about it. Don't except to circumvent some Windows protection by calling into WSL, it has no access to anything low-level.
(e.g.: Forget about trying to reflash the firmware using some linux sysadmins tools under WSL, or making some advanced stealth keylogger)