Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux on Windows Exposes a New Attack Surface (eweek.com)

Posted by EditorDavid on from the reports-from-Black-Hat dept.

An anonymous Slashdot reader writes: The Linux in Windows 10 isn't running inside of a hypervisor; it's "running on the raw hardware, getting all the benefits of performance and system access, as well as expanding the potential attack surface." eWeek reports on a new threat discovered by Alex Ionescu, the chief architect at cybersecurity company Crowdstrike, which begins with the fact that "The Windows file system is also mapped to Linux, such that Linux will get access to the same files and directories."

Ionescu says "There are a number of ways that Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows." According to eWeek, "The modified Linux code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated." Ionescu describes it as "a two-headed beast that can do a little Linux and can also be used to attack the Windows side of the system."

22 of 228 comments (clear)

  1. Big, fat, NO FREAKIN' DUH! by Dog-Cow · · Score: 5, Informative

    If the Linux personality has the same level of access to the kernel as the Windows personality, then this is a natural consequence. It's the same as if MS added a dozen new win32/64 APIs that could be exploited by apps with appropriate privileges. New code, new bugs. Total non-story.

    1. Re:Big, fat, NO FREAKIN' DUH! by BarbaraHudson · · Score: 4, Informative
      It's not even that. You are NOT running linux under windows. There is no such thing. Even Canonical admits that. It's just parts of the Ubuntu user space. No linux kernel. No vm. No container. Nada. Think of wine in reverse.

      Linus (or rather, the linux foundation) should sue for slander for anyone calling it "linux under windows."

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    2. Re:Big, fat, NO FREAKIN' DUH! by retchdog · · Score: 4, Funny

      I'd just like to interject for moment. What you're referring to as Linux, is in fact, GNU/Windows, or as I've recently taken to calling it, GNU plus Windows. Linux is not an operating system unto itself, but rather another possible alternative for a fully functioning system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as (sort of) defined by POSIX. This so-called Linux distribution is really a distribution of GNU/Windows!

      --
      "They were pure niggers." – Noam Chomsky
    3. Re:Big, fat, NO FREAKIN' DUH! by Anonymous Coward · · Score: 3, Informative

      Anyone who wants to learn more about this can read up on the Windows Subsystem for Linux. Quoting from the linked overview:

      WSL executes unmodified Linux ELF64 binaries by virtualizing a Linux kernel interface on top of the Windows NT kernel. [...] The Windows Subsystem for Linux includes kernel mode drivers (lxss.sys and lxcore.sys) that are responsible for handling Linux system call requests in coordination with the Windows NT kernel. The drivers do not contain code from the Linux kernel but are instead a clean room implementation of Linux-compatible kernel interfaces.

      -PCP

    4. Re: Big, fat, NO FREAKIN' DUH! by Anonymous Coward · · Score: 5, Informative

      It's not fucking Linux unless it runs the Linux kernel.

    5. Re:Big, fat, NO FREAKIN' DUH! by Opportunist · · Score: 4, Funny

      You traded systemd for Windows. Are you still dancing? Or is that just you trying to get your feet away from the hot red coals?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Big, fat, NO FREAKIN' DUH! by Anonymous Coward · · Score: 4, Informative

      Ummm no, this is explicitly /not/ what Cygwin does. Cygwin provides a Unix-style /API/, not a Linux /ABI/. You can't run an unmodified Linux binary under Cygwin, you get to recompile your source.

    7. Re:Big, fat, NO FREAKIN' DUH! by Dr.Dubious+DDQ · · Score: 3, Insightful
      The kernel is actually "NT", I believe.

      Therefore, it really ought to be "GNU/NT" (pronounced "guh-nunt", because that amuses me for some reason.)

      --
      Hacker Public Radio is our Friend
    8. Re: Big, fat, NO FREAKIN' DUH! by Vitus+Wagner · · Score: 4, Informative

      It is really a GNU subsystem for Windows.

    9. Re: Big, fat, NO FREAKIN' DUH! by Anonymous Coward · · Score: 3, Insightful

      it's really just another attempt by microsoft to sour the reputation of linux.

    10. Re: Big, fat, NO FREAKIN' DUH! by Junta · · Score: 4, Informative

      Actually, it's not GNU either. It's an implementation of Linux kernel system calls. It only becomes GNU-ish after installation of Ubuntu libraries.

      It's not a Linux kernel, it's not an emulator, it's an alternative implementation of Linux system calls.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    11. Re: Big, fat, NO FREAKIN' DUH! by danbob999 · · Score: 3, Insightful

      it's not a POSIX interface, it runs native Linux (not BSD, not OS X, not other POSIX OS) AMD64 binaries

  2. Clickbait by real+gumby · · Score: 3, Insightful

    What kind of "new threat" is this? All he's saying is that running code on a machine can have affect its state.

  3. *yawn* by jargonburn · · Score: 4, Insightful

    The Server Application in Windows 10 isn't running inside of a hypervisor; it's "running on the OS, getting all the benefits of performance and system access, as well as expanding the potential attack surface." eWeek reports on a new threat discovered by Alex Ionescu, the chief architect at cybersecurity company Crowdstrike, which begins with the fact that "The Windows file system is also mapped to the Server Application, such that the Server Application will get access to [...] files and directories."

    Ionescu says "There are a number of ways that Windows applications could inject code, modify memory and add new threats to the Server Application running on Windows." According to eWeek, "The modified Server Application code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated."

    I'll Tell you what else increase your attack surface: Turning the computer on.
    Didn't RTFA (naturally!), but the summary fails to convince me that this is more than incrementally worse than running...well...MOST applications that do anything useful on Windows.

    1. Re: *yawn* by Drumhellar · · Score: 5, Informative

      This is how UIDs are mapped: Each windows user gets their own copy of Ubuntu installed, located in %LOCALAPPDATA%\lxss. Users exist entirely within the individual Ubuntu installs, so a Windows user can have multiple Linux users within his own virtual Linux filesystem. Files created outside of the Linux environment all have a UID and GID of 0, while the initial default user has a UID and GID of 1000. Only files created within that Windows Users's Ubuntu install have UIDs known to their own Linux install. Of course, this is just how it looks to Linux programs. It is still ultimately limited by the Windows User's own individual permissions throughout the rest of the Windows system.

    2. Re: *yawn* by tlhIngan · · Score: 3, Insightful

      The first thing that comes to my mind is wondering how MS mapped windows users to linux UIDs. When linux is allowed to access the filesystem there could be all sorts of things to abuse in the permission translation. I would be interested in an article describing the design decisions though, instead of one generically predicting doom and gloom.

      Probably some mapping of the user SID to a UID is my guess. After all, the UID is just a user representation, and internally it gets translated into a normal Windows SID that the kernel uses for all actions.

      Honestly, it's a load of hyperbole. The Linus subsystem is not running Linux. It's running the Windows kernel, and the kernel is enforcing all the standard security mechanisms it always had. If you can't write to a file in Windows, you certainly can't on Linux subsystem. (All of Windows' security is enforced in the kernel anyways).

      The Linux subsystem is only a bit more than the standard subsystem mechanism on NT - you know, the ones that could run Win32, OS/2 and POSIX apps? Each one of those is a separate subsystem, and because of that, there were pesky limitations (POSIX applications can't interact with Win32, because the only commonality is... the kernel).

      What Windows 10 can do is run Linux userspace binaries by emulating the Linux syscall interface. It's no different than the FreeBSD mechanism that existed for years.

      Hell, if you want to get technical, call it GNU/NTOSKRNL. That's all it is. It can run Linux binaries on Windows, in this case, Ubuntu 14.04.

  4. Crazy Talk by frovingslosh · · Score: 3, Funny

    This is just crazy talk. If I'm running Windows I obviously don't care about security.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  5. Don't run root by Billly+Gates · · Score: 3, Interesting

    Just like Linux you need to have special privileges to change anything important with the ACL lists of NTFS just like ext3.

    I highly doubt malware will target this. I mean besides those using SQL insertion exploits for server databases no one targets Linux on the desktop. No one is going to be running a server with this anyway.

    --
    http://saveie6.com/
  6. While in the Real World, WSL is contained by CrashNBrn · · Score: 4, Informative

    Windows Subsystem for Linux processes cannot directly interact with either the win32 subsystem or processes.

    Windows Subsystem for Linux Overview [img] :: https://msdnshared.blob.core.windows.net/media/2016/04/LXSS-diagram-1024x472.jpg or WSL System Calls & [img] :: https://msdnshared.blob.core.windows.net/media/2016/06/syscall_graphic.png

  7. Shill by eWarz · · Score: 3, Insightful

    Very few people (except developers) will have WSL running on their machines. WSL is isolated from Win32 except via FS access. Just based on it's current state, WSL is practically impossible to exploit thansk to it's limitations. Alex Ionescu is (was?) a ReactOS 'developer'. He has a beef against Microsoft. Disclaimer, in a past life, I was a ReactOS core developer for a certain period of time in the late 90s to early 2000s.

  8. Why doesn't anybody get their facts straight? by rew · · Score: 3, Informative

    After googling around a bit. stories about running a bash shell on windows pop up.

    It isn't "running Linux" on windows. That would imply that there is a Linux kernel running that actually manages hardware. This impression of "running on hardware" is enhanced by the slashdot summary.

    None of this. Windows is simply providing those Linux system calls that allows commandline apps to run. A story then mentioned that servers would not run. That's odd: When "bash" runs and say applications like ping, ssh and telnet, you'd have to go to great lengths to prevent another app like "apache" from running.

    But if what I hear is true, this is only useful for the most basic of things, no graphical capabilities. I might be an old fart that uses the commandline a lot, but that becomes useful in combination with a bunch of graphical tools that display what I need to know on a graphical screen.

    As to security: the implied trick of running a linux kernel that also has access to the windows block devices is very prone to bugs and security issues. But all that is not the case: It's just another program running in an operating system, using a slightly different set of API calls. If the emulated Linux system calls end up calling windows-internal stuff AFTER the "permissions checking" that normal windows calls would do then you have a problem. It tells a lot about how badly windows is layered.

  9. Not the whole POSIX. by DrYak · · Score: 4, Informative

    So is it essentially a new POSIX interface?

    No it's not the whole POSIX interface (that used to exist and be called something along the lines like "Unix Services for Windows", but got in practice over taken in popularity by Cygwin - a translation layer between POSIX source code and regular Win32 interface).

    WSL implements only a very small subset of Linux kernel's API calls.
    Just barely enough to get some Ubuntu user space running, so you can still use Windows to write and test your code before deploying to some Linux cloud.
    (instead of using Mac OS X or a real Linux desktop or a VM like everybody else.

    There currently nearly no filesystem support (except for the special drivers that Microsoft has written to support passing Windows's local drivers under Linux).
    There is very limited network support (you can run apache and even SSH. But forget about NFS)
    There's no media at all (no X. no audio. no USBHID/libinput. nowayland/DRM/Mesa hardware/Whatever. no nothing. Its main purpose is to test linux code before deploying to the cluster, so don't expect anything fancy).
    No even fabric dummy drivers (that's a bit limiting for the intended purpose...)
    Nothing from the Linux kernel internals (no scheduler, etc.)

    So maybe with some extensive hacking you could write a zombie node that can take part in some mass spamming or DDOS.
    (Basically, anything that you could implement as a not so fancy network daemon under any other OS).
    But that's about it. Don't except to circumvent some Windows protection by calling into WSL, it has no access to anything low-level.
    (e.g.: Forget about trying to reflash the firmware using some linux sysadmins tools under WSL, or making some advanced stealth keylogger)

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]