As a result, any DLLs that are loaded by the system are replaced with malicious copies, allowing an attacker to gain access to the system, install additional software, and do anything they please. This issue is somewhat mitigable by using the “Run as administrator” option when uninstalling. However, this is not always possible, and it is strongly recommended to run all system administrators, as well as privileged users, under an account that has no access to the network, such as “Administrator” or “Power User”. With the recent surge in popularity of the Windows Subsystem for Linux, the use of SYSTEM has become much more common. However, due to the fact that it is a privileged user account, it is possible for an attacker to take advantage of a SYSTEM user account to install and run malicious software. To do so, an attacker needs to run a command under the SYSTEM user account with specific privileges. One such command is “install-package” which gives the SYSTEM user account the ability to install DLLs.

CVE-2023-24768

The issue stems from the fact that Microsoft Windows 10 uses a subuser account with many privileges to run privileged commands as root. This can be exploited to install and run malware without any user interaction required.

Windows Subsystem for Linux

Windows Subsystem for Linux (WSL) is a subsystem that allows Windows and Linux binaries to run in parallel on the same system. It was first introduced in Windows 10 Anniversary Update and has been improved on with each subsequent update until it became available in the Fall Creators Update. With WSL, Microsoft has tried to capitalize on the popularity of Linux by offering a way for Windows users to run Linux software without having to dual boot or install third-party virtualization solutions.
There are several significant implications of this change, including being able to use SSH and Bash as well as running open source software. These features have made WSL very popular among developers who want to use Linux tools or want to test their workflows before spending a lot of money on virtual machines or cloud solutions. In addition, the lack of virtualization and OS-level hypervisors like Hyper-V means that WSL runs much faster than other equivalents.
When using WSL, you must do so from an account that has no network permissions, such as “Administrator” or “Power User”. This prevents unauthorized access to the system through malicious DLLs unless someone is using a tool like prankd which bypasses DLL protections with its built-in anti-DLL protection technology

Time for another Jolt – Linux/WSL

Recently, a security vulnerability in the Windows Subsystem for Linux (WSL) was discovered. This vulnerability allows an attacker to replace any DLL that is loaded by the system with a malicious copy. With this vulnerability, an attacker could install additional software and do anything they please on the system.
However, there are methods for mitigating this issue. "Run as administrator" is one of these methods which makes the “uninstall” option less effective. In addition, privileged users should have their account separated from a network-accessible account such as Administrator or Power User. If you are using WSL to run your applications and/or services through Linux and you find it necessary to use Administrator privileges, consider separating your use of administrator privileges from your use of WSL with a separate user account such as “Administrator” or “Power User”.

Timeline

Published on: 04/12/2022 18:15:00 UTC
Last modified on: 04/21/2022 14:05:00 UTC

References