WSL2 – the other ”other” attack surface

 Threats & Research 

meet-threat-hunters_1940x970-1024x512
Reading time: 1 min
Connor Morley
 

03.02.20

 

 

 

As Windows development marches on, with it comes numerous improvement and innovations. However, as with all technical advances, this can lead to unexpected vulnerabilities or systems to maliciously exploit. WSL2 is the new and improved Linux subsystem in Windows. WSL is a built-in mechanism that allows Linux distributions to be installed and run as a component of the host OS.

We have shown in previous papers how WSL1 could be used for malicious actions. In this paper, we explore the new and improved WSL2 explaining its operational makeup, its potential appeal to attackers and investigate potential malicious capabilities. We will dissect the primary difference between the legacy and new system and explain the benefits and flaws of this upgrade. We outline some of the flaws in the configuration as well as provide tested malicious behavior (with POC) that can be deployed using WSL2.

By understanding the key differences and potentially malicious behavior, we will also provide a defensive monitoring evaluation and explain the potential methods of detection for this component. We also explain the key differences in detection between the two versions and the difficulties that arise from the new architecture.

 

Related posts

intersection-1024x512
April 16, 2024

5 phases of a cyber attack: The attacker’s view

Cyber security is not something you do once and then you’re done. It is a continuous process that should be part of everything you do. However, no one has the resources to do everything perfectly. Thus, your goal should be constant improvement.

Read more
meet-threat-hunters_1940x970-1024x512
April 16, 2024

Of Cameras & Compromise: How IoT Could Dull Your Competitive Edge

The Internet of Things is here. And with it are exciting possibilities, cost savings and efficiencies. But there’s a dark side to this bright new world, and it can be summed up in what we call Hypponen’s Law: If it’s smart, it’s vulnerable.

Read more
ws_woman_looking_at_computer_screen_with_pen
April 16, 2024

How to decompile any Python binary

At WithSecure we often encounter binary payloads that are generated from compiled Python. These are usually generated with tools such as py2exe or PyInstaller to create a Windows executable.

Read more
ws_cold_boot_attack_demo
April 16, 2024

The Chilling Reality of Cold Boot Attacks

What do you do when you finish working with your laptop? Do you turn it off? Put it to sleep? Just close the lid and walk away?

Read more