is that a penguin in my windows?
TRANSCRIPT
![Page 1: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/1.jpg)
Is That A Penguin In My Windows?Spencer (@zeroSteiner) McIntyre BSides Las Vegas Wednesday August 3rd, 2016
![Page 2: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/2.jpg)
Agenda• About Me
• Windows Subsystem for Linux Overview• Why are we here and why do we care?• How does it work?
• Implementation Details• Syscall functionality• Filesystem details
• Attacker Notes• Fingerprinting WSL• Payload Compatibility• Inter process access
![Page 3: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/3.jpg)
About Me
• Spencer McIntyre
• Work at SecureState• Research, Development, “Special” Projects
• BSOD-inducer
• Avid open source contributor (Metasploit among others)
• Python enthusiast
• I can haz acronyms?• OSCP, OSEE
![Page 4: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/4.jpg)
Overview
• Windows Subsystem for Linux• Objective is to allow native x86-64 ELF binaries to run natively on Windows
platforms
• It’s not virtualization
• Supposedly Linux executables run at normal speeds
• Linux processes are “picoprocesses”
• WSL Core implementation provided by two Windows drivers• LXCORE
• Larger of the two, provides all of the Linux Syscalls
• LXSS
![Page 5: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/5.jpg)
Microsoft’s Diagram
Source: https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows-subsystem-for-linux-overview/
![Page 6: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/6.jpg)
Implementation Details
![Page 7: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/7.jpg)
Driver Architecture• LXCORE Provides the main
functionality• Including \Driver\lxss object
• No accompanying lxcore object
• LXSS loads LXCORE and calls LxInitialize
![Page 8: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/8.jpg)
Picoprocesses• Container process with a limited access to the Kernel API
• Product of Microsoft’s research project dubbed “Drawbridge” from 2011• Project goal was to provide faster isolated / sandboxed execution
• Speed came from the lack of a virtualization overhead
• First added to Windows 8.1 and Server 2012 R2
• Process does not contain PEB / TEB / NTDLL.DLL / user32!gSharedInfo
• Windows Kernel still provides thread scheduling and memory management
![Page 9: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/9.jpg)
Syscalls You Say?
• Picoprocesses get a separate syscall dispatcher• Driver registers itself as a picoprocess provider and dispatches it’s own syscalls
• Linux syscalls implemented in LXCORE!LxpSyscall_*• 216 in Windows 10 Preview 14385 vs 345 in Linux 3.4-rc7
• 62.6% coverage
• Missing syscalls include some *32 equivalents• Existing are 16-bit not 64-bit, 32-bit calls were introduced in Linux 2.4
![Page 10: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/10.jpg)
Syscalls You Say?
• The kernel dispatches to the picoprovider for fulfillment• Linux calls with NT equivalents forward the call to be fulfilled by the kernel
• Syscall is made by the user process with the convention expected by the pico driver• In this case, the one specified by Linux x86-64 / System V ABI
• System V ABI Syscall Convention• Syscall number -> RAX
• Arguments -> RDI, RSI, RDX, RCX, R8, R9 (remaining on the stack)
![Page 11: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/11.jpg)
Debugging Syscalls
• Useful for bug hunting
• We can break on specific conditions using the Linux calling convention
• Example call stack for MMAPLXCORE!LxpSys_MMAP <- Break here for mmap syscalls and/or args to mmap
LXCORE!LxpSysDispatch
LXCORE!PicoSystemCallDispatch <- Break here for all WSL syscalls
nt!PsPicoSystemCallDispatch <- Break here for all picoprocess syscalls
nt!KiSystemServiceUser
![Page 12: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/12.jpg)
Filesystems
• WSL 2 main file systems• VoIFs
• Linux root directories
• Not accessible by Windows applications
• DriveFs• Access to the Windows filesystem
• /mnt/c
• Additional filesystems for /proc, /sys, etc.
• Control file systems are incomplete• /proc/net results in broken ifconfig
![Page 13: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/13.jpg)
DriveFS Specific
• Despite being root, files can only be read as user that started bash
• Linux file permissions are stored in NTFS extended attribute
• Permissions and owner are ignored for files created by root
![Page 14: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/14.jpg)
![Page 15: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/15.jpg)
Attacker Notes
![Page 16: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/16.jpg)
Identifying WSL
• Obvious:• grep Microsoft /proc/version && echo “WSL Detected”
• Check for mounted drives in /mnt
• Behavioral clues:• 1 module in /sys/modules (lack of drivers is suspicious)
• /proc missing modules entry
• Strict checks of mmap syscall flags
• mmap(NULL, 4096, PROT_READ|PROT_WRITE|0x1000, …
![Page 17: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/17.jpg)
Very Subtle Microsoft…
![Page 18: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/18.jpg)
Metasploit Payload Compatibility• Each was tested as a native ELF
executable
• Working payloads can’t access network configuration details
Payload Name Compatible?
linux/x64/mettel/reverse_tcp no*
linux/x64/shell_reverse_tcp yes
linux/x86/meterpreter/reverse_tcp no**
python/meterpreter/reverse_tcp yes
* Strict mmap syscall implementation** 32-bit ELF files are not supported
![Page 19: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/19.jpg)
Python Meterpreter
![Page 20: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/20.jpg)
Linux Kernel Protections
• All the basics are implemented• Usermode ASLR (randomize_va_space)
• Data Execution Prevention (DEP)• NULL page mapping prevention (mmap_min_addr)
![Page 21: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/21.jpg)
Cross Process Access
• Desirable for an attacker to infect the Linux container or Windows host
• Linux processes can not list Windows processes
• Windows can list Linux processes• PIDs do not match
![Page 22: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/22.jpg)
Linux -> Windows Access• No process access
• Windows processes are objects exposed through the Win32 API• Linux exposes information through files in
/proc
• Win32 API requires that the process make syscalls into NT kernel• Picoprocesses have a separate syscall
dispatcher
![Page 23: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/23.jpg)
Windows -> Linux Access
• Limited information is available
• Linux processes can not be debugged (OpenProcess fails)• Acceptable flags: (PROCESS_QUERY_LIMITED_INFORMATION | SYNCHRONIZE)
• Without this Meterpreter’s migrate will not function
• Low 8-bits of Linux process exit code can be retrieved with GetExitCodeProcess from Windows• dwStatus >> 8
• Windows user processes can obtain same info for “root” processes• The Windows permissions are effectively the same (Can’t write to
%Systemroot%\System32\wbem\MOF etc.)
![Page 24: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/24.jpg)
Cross User Access
• WSL Environments are specific to the user who started them• Hence the inherited permissions
• Resources in one running WSL environment can not be accessed from another• Multiple invocations of “bash” as one user do share an environment
• Files, processes, etc. are all inaccessible
• Primarily relevant in multi-user environments like Server 2012
![Page 25: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/25.jpg)
Closing Thoughts
• “root” doesn’t mean much
• Nuances in what root means and how its handled will be a source of user mistakes
![Page 26: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/26.jpg)
![Page 27: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/27.jpg)
References• https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows-subsystem-for-linux-overview/
• https://blogs.windows.com/windowsexperience/2016/04/06/announcing-windows-10-insider-preview-build-14316/
• http://research.microsoft.com/en-us/projects/drawbridge/
• https://blogs.windows.com/buildingapps/2016/03/30/run-bash-on-ubuntu-on-windows/
• https://github.com/Microsoft/BashOnWindows
• https://blogs.msdn.microsoft.com/wsl/2016/06/15/wsl-file-system-support/
• https://blogs.msdn.microsoft.com/wsl/2016/06/08/wsl-system-calls/
• https://blogs.msdn.microsoft.com/wsl/2016/05/23/pico-process-overview/
![Page 28: Is That A Penguin In My Windows?](https://reader033.vdocuments.us/reader033/viewer/2022051318/58eea09e1a28ab070f8b4687/html5/thumbnails/28.jpg)
Thanks for your time!
Spencer McIntyre
@zeroSteiner
github.com/zeroSteiner