WSL2 – the other ”other” attack surface
Threats & Research
As Windows development marches on, with it comes numerous improvement and innovations. However, as with all technical advances, this can lead to unexpected vulnerabilities or systems to maliciously exploit. WSL2 is the new and improved Linux subsystem in Windows. WSL is a built-in mechanism that allows Linux distributions to be installed and run as a component of the host OS.
We have shown in previous papers how WSL1 could be used for malicious actions. In this paper, we explore the new and improved WSL2 explaining its operational makeup, its potential appeal to attackers and investigate potential malicious capabilities. We will dissect the primary difference between the legacy and new system and explain the benefits and flaws of this upgrade. We outline some of the flaws in the configuration as well as provide tested malicious behavior (with POC) that can be deployed using WSL2.
By understanding the key differences and potentially malicious behavior, we will also provide a defensive monitoring evaluation and explain the potential methods of detection for this component. We also explain the key differences in detection between the two versions and the difficulties that arise from the new architecture.
Related posts
5 phases of a cyber attack: The attacker’s view
Cyber security is not something you do once and then you’re done. It is a continuous process that should be part of everything you do. However, no one has the resources to do everything perfectly. Thus, your goal should be constant improvement.
Read moreOf Cameras & Compromise: How IoT Could Dull Your Competitive Edge
The Internet of Things is here. And with it are exciting possibilities, cost savings and efficiencies. But there’s a dark side to this bright new world, and it can be summed up in what we call Hypponen’s Law: If it’s smart, it’s vulnerable.
Read moreHow to decompile any Python binary
At WithSecure we often encounter binary payloads that are generated from compiled Python. These are usually generated with tools such as py2exe or PyInstaller to create a Windows executable.
Read moreThe Chilling Reality of Cold Boot Attacks
What do you do when you finish working with your laptop? Do you turn it off? Put it to sleep? Just close the lid and walk away?
Read more