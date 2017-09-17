Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


'Bashware' Attacks Exploit Windows 10's Subsystem for Linux (betanews.com) 38

Posted by EditorDavid from the ghost-in-the-shell dept.
Mark Wilson quote BetaNews: While many people welcomed the arrival of Windows Subsystem for Linux (WSL) in Windows 10, it has been found to be a potential security issue. A new technique known as a Bashware has been discovered by security researchers that makes it possible for malware to use the Linux shell to bypass security software.

While administrator access is needed to execute a Bashware attack, this is fairly easily obtained, and the technique can be used to disguise malicious operations from antivirus software and other security tools. Researchers from Check Point Research point out that the danger stems from the fact that "existing security solutions are still not adapted to monitor processes of Linux executables running on Windows."

  • While administrator access is needed to execute a Bashware attack, this is fairly easily obtained

    Really? that sounds like more of a problem than some particular tool....

    • Yeah, like I said on the last website that posted this story, this is a non-issue. If the attacker has local admin access, they've already pwned the system, it's game over. What they do after that point is trivial and not interesting.

    • Re:Easy to get administrator access? (Score:5, Insightful)

      by johnnys ( 592333 ) on Sunday September 17, 2017 @12:49PM (#55214359)

      Yes. If you have Administrator access, you own the system. So what they are really saying is "Hey, if you already own the Windows system then you can do bad things with the Windows system!"

      So it's a meaningless and irrelevant story.

      • Not entirely meaningless.

        Can drive-by-downloads install the WSL, and then install something to apt-get WINE, or complile WINE on the WSL, resulting in a virus running undetected by the Windows antivirus?

        The issue here is that once it happens, there will be no way to catch it down the road. Once an id10t user gets infected, nothing will detect the infection. Only knowledgeable techs who know to remove the WSL to remove the virus.

        Can an antivirus or anti-malware system detect malware installed into the

      • The thing is, on the platform usually targetted by malware written in Bash script - like GNU/Linux systems - "Administrative access" isn't something trivial.
        It's rare that regular users run everyday tasks as "root".

        You needed Microsoft to bring the GNU userspace and "linux ABI" to their NT kernel for suddenly things to run sour.

        ----

        And joke aside about NT user running as "administrators" 24/24 hours and 7/7 days, this was bound to happen :
        In order to not have ridiculous performance (as opposed to solution l

        • So really, the better solution is to actually run Linux on VMWare, VirtualBox, Hyper-V, and so on.

          Got it, avoid another MS integration clusterfuck.

          • So really, the better solution is to actually run Linux on VMWare, VirtualBox, Hyper-V, and so on.

            And why would I do that instead of running Windows in qemu-kvm, VirtualBox or even VMWare? You want the more secure system as the host rather than the other way around.

        • Again, remember : WSL is only exclusively to be used in testing/development environment (so that devs can directly test linux binary ELFs without needing, e.g., a full blown Ubuntu VirtaulBOX VM image). WSL is currently NOT to be used in production (keep it away from production servers - obviously those will be running some GNU/Linux flavor), otherwise such blow-in-your-face accident could happen on critical machines with critical data.

          But some stupid shop is going to underbid you writing a thin layer on top of some free opensource code, and install/enable WSL behind the back. PHBs, dimwitted people masquerading as chief of cyber security, all the layers of CXOs, all bent "upon making the numbers" for the coming quarter to get an additional million dollar stock options all will claim that is the fair price for that module that faces the world from the landing page of corporate web site.

          You lose immediately

          They lose after some time

          We

      • No, it's not a non-issue, but it's a different kind of issue than most people realize. Remember the Alexis de Tocqueville Institution [sourcewatch.org] and the propaganda they pumped out last decade about how Linux and Open Source in general was a parasite on the tech industry, was enabling all sorts of illegal activities (such as terrorism - of course!), and attempted to publish a book claiming Linus Torvald's didn't really invent the Linux kernel? Microsoft was (and still is!) a major funder of this propaganda mill.

        Think a

    • While administrator access is needed to execute a Bashware attack, this is fairly easily obtained

      Really? that sounds like more of a problem than some particular tool....

      It's a classic example of a Raymond Chen airtight hatchway [microsoft.com] attack. In order to carry out an attack with admin privs, you first need to be admin. And then a sign lights up in black on a black background telling you you've done it.

    • Steve Martin Joke from 70s (Score:1)

      by Anonymous Coward

      "I'm gonna tell you how to make a MILLION dollars tax free. First, get a million dollars."

      "I'm gonna tell you how to get root access on a Linux machine. First, get admin access."

      Eh, needs work before it's ready for Steve if he ever does a Linux show.

  • So Windows has a Linux subsystem.

    Does that mean all copies of the Windows 10 operating system are vulnerable? Meaning grandma or bubba and their propensity to give everything and its kid brother root access?

    Or are we just talking about systems being administered by Linux admins, where root access by an untrusted application carries this risk implicitly.
    • It's an optional component like IIS.

    • Re: (Score:1)

      by Tablizer ( 95088 )

      Now we get all the holes of Windows AND Linux in one OS. Jeenius!

    • The WSL must be installed. It does not exist in a default install. For 32 bit systems it isn't available at all. In the end though this is not a vulnerability any more than most of the "vulnerabilities" you see these "researchers" finding on Linux systems. It is the classic "OMFG if you have admin / root / ring0 privs then you can do things!" Chicken Little cry.
      • The issue isn't in the install vector (typical user clicking "yes" to every UAC prompt). It is that no existing anti-malware utilities will automatically catch and remove the malware. This is a serious risk.

        • It is that no existing anti-malware utilities will automatically catch and remove the malware. This is a serious risk.

          Well to be more precise :

          - currently the WSL subsystem that provides "linux ABI" to original linux ELFs
          - and the Win32 system usually offered to normal windows userland
          are too different environment which are kept (on purpose) isolated from each other.

          (Just think about it: even if theoretically NTFS can store case-sensitive filenames, absolutely no Win32 userland does handle it.
          That's just one of the several reasons why both environment should touch eachother's stuff.
          Another reason is that for performance re

          • Nothing prevents it, except for two things.

            1. The user doesn't know the Linux subsystem is installed.
            2. The user doesn't know anything about Linux, and expects their Windows anti-virus to protect them.

            • The user doesn't know the Linux subsystem is installed.

              WSL isn't installed by default on Windows 10.
              It's an optional component that you need to explicitly select in the corresponding control-pannel-thingy.
              (like IIS).

              If the user is clueless, chances are high that they don't have WSL installed.

              The user doesn't know anything about Linux, and expects their Windows anti-virus to protect them.

              (well, if they are running McAffee, they are toasted anyway :-P )

              More seriously, it's the "security suite"'s developpers' job to develop a solution.
              Again there is no technical reason preventing it (even if the current suite happens not to be able to see what happens on the

              • Just because the standard method of installing an optional service is through a control panel, doesn't mean that is the only way.

                .NET 2, & 3 are optional on Windows 10. They are typically installed via control panel. The last time I installed a legacy application, the .NET frameworks were downloaded and installed automatically.

                So we are back to Antivirus vendors providing ELFs, and providing a means of automatically installing and registering them, after installation. A means of automatically detect

  • Too late (Score:2, Funny)

    by jabberw0k ( 62554 )
    Windows 10 itself is malware, isn't it?

  • Why is bashware not a problem on a Linux system ? After all: if all that Windows Subsystem for Linux does is to provide Linux functionality then you would expect the same malware to also have been a problem on native Linux systems.

    • Linux users are expected to be more knowledgeable. You grant root access to malware or a rootkit, and its your problem. Microsoft Windows is marketed towards masses of naive idiots. They have no clue, and unleash botnets on the rest of the world. So if we can't protect them from themselves, we have a problem. If an antivirus can't remove an infection, nor even detect it, we have a problem.

  • Holy crap! If someone gets administrator access on my system, they can do bad things? With the SUBSYSTEM FOR LINUX, SPECIFICALLY???
    Seriously, /., what is this shit?

  • Under Windows 10 install Linux, load Linux and install Wine = Exploit. Video is now private, I can see why.

  • AKA: Code execution results in code execution.
    Raymond has a whole series of these things:
    https://blogs.msdn.microsoft.com/oldnewthing/20070807-00/?p=25683

    Once you're able to run arbitrary programs as admin on a Windows box, the box is lost. Which particular set of arbitrary weirdness you choose to do to crash, compromise, or exfiltrate the data is pretty much irrelevant.

