![]() ![]() Remotely exploitable vulnerabilities are very high risk if they are wormable as they can spread across systems without any user interaction. There have recently been some critical, wormable protocol vulnerabilities within the RDP and SMB protocols in the form of Bluekeep and SMBGhost. ![]() If WSL is not enabled (disabled by default on Windows 10), the attack can still be executed but requires the attacker to be a privileged user to enable WSL as a pre-requisite. A non-privileged user should not be able to BSOD the Windows kernel, from a local or remote perspective. It is not possible to achieve escalation of privilege (EoP) within the Windows kernel due to this vulnerability the BSOD appears to be as designed by Microsoft within their legitimate fail flow, if malformed P9 server communication packets are received by the Windows kernel. In a typical attack scenario, we discovered that if WSL is enabled on Windows 10, then a non-privileged local attacker can hijack the WSL P9 communication channel to cause a local Denial of Service (DoS) or Blue Screen of Death (BSOD) in the Windows kernel. We created a malicious P9 server by hijacking the Microsoft P9 server and replacing it with code we can control. In this research we explore the P9 protocol implementation within the Windows kernel and whether we could execute code in it from a malicious P9 server. The Windows 10 operating system comes with the P9 server as part of the WSL install so that it can communicate with a Linux filesystem. Since Windows 10 version 1903, it is possible to access Linux files from Windows by using the P9 protocol. The previous research discussed file evasion attacks when the Microsoft P9 server can be hijacked with a malicious P9 (Plan 9 File System Protocol) server. This is the final blog in the McAfee research series trilogy on the Windows Subsystem for Linux (WSL) implementation – see The Twin Journey ( part 1) and Knock, Knock–Who’s There ( part 2). Windows Subsystem for Linux Plan 9 Protocol Research Overview
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |