[Bug 2052495] Re: [MIR] wsl-pro-service
The last security request (having per user certificate to secure the gRPC communication so that they can’t be hijacked cross-users) is now addressed with 0.1.4 with many other enhancements fixing some recommended TODOs. I’m proceeding thus with the promotion. ** Changed in: wsl-pro-service (Ubuntu Noble) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052495 Title: [MIR] wsl-pro-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052495] Re: [MIR] wsl-pro-service
Specifically adressing @iosifache concern > 3. Command execution inside the Windows host: With USB/IP the WSL instance gets low level access to a USB device as if it was actually attached to the USB bus. I won't go into the details of how to get that done, but it suffices to say that: 1. It requires installation of components on both sides: WSL instance and Windows host 2. The daemon on the host side must be started with elevated permissions 3. Most importantly to this security concern: mounting such device won't result in a 9p filesystem, thus the device would be skipped in the search for cmd.exe It's possible to mount a USB device as a drvfs 9p mount point, which could fool the current implementation of the `findCmdExe()` function. It requires: 1. The USB device partition to be attached to a WSL instance must be mounted in the Windows host (which requires it to be formatted in one of the filesystems that OS supports) 2. The attacker must be able to launch a command as root inside the WSL instance to mount that partition containing a rogue `cmd.exe` binary (easily done if they already have access to the host, not so easy if they only have access to the WSL instance as a Linux unpriviliged user account) Yet, by the order which the mount points are processed, the USB device will always be mounted after the hard drive partitions, no matter which drive letters assigned to the partitions on the Windows side. So **the only way** the USB device partition would be picked up is in case the user has disabled automount drives via `/etc/wsl.conf`, as there would be no other candidate mount point to look into, resulting in the rogue binary being executed by wsl-pro-service as root inside the WSL instance. That means the rogue binary could do anything inside the WSL instance, **and anything the Windows user can do** on the Windows host (being root inside is the same as being the Windows user outside of the WSL instance). While that sounds dangerous, remember that the attacker already had user level permissions to start that attack, so we are just back at where the attack started. Here's a demonstration of such exploit: - Assume I have a malicious USB stick formatted as exFAT mounted on Windows as "A:\" and containing a ransomware at path "A:\Windows\System32\cmd.exe"; ```powershell Get-PSDrive -PsProvider 'FileSystem' Name Used (GB) Free (GB) Provider Root - - A 16.82 12.22 FileSystemA:\ C 362.05 33.18 FileSystemC:\ D 47.43 35.08 FileSystemD:\ ``` - Somehow I managed to run the following command on the Windows host: ```powershell wsl -u root -d Ubuntu bash -ec 'mkdir -p /mnt/a && mount -t drvfs "A:\\" /mnt/a' ``` - My mountpoints inside the Ubuntu WSL instance will look like: ```bash mount | grep drvfs C:\ on /mnt/c type 9p (rw,noatime,dirsync,aname=drvfs;path=C:\;uid=1001;gid=1002;symlinkroot=/mnt/,mmap,access=client,msize=65536,trans=fd,rfd=5,wfd=5) D:\ on /mnt/d type 9p (rw,noatime,dirsync,aname=drvfs;path=D:\;uid=1001;gid=1002;symlinkroot=/mnt/,mmap,access=client,msize=65536,trans=fd,rfd=5,wfd=5) A:\ on /mnt/a type 9p (rw,relatime,dirsync,aname=drvfs;path=A:\;symlinkroot=/mnt/,mmap,access=client,msize=65536,trans=fd,rfd=3,wfd=3) ``` Notice that the "A:\\" drive is still the last, so we'll find the system's cmd.exe. Now asume the same setup with the automount WSL feature disabled. My mount points would then look like: ```bash mount | grep drvfs A:\ on /mnt/a type 9p (rw,relatime,dirsync,aname=drvfs;path=A:\;symlinkroot=/mnt/,mmap,access=client,msize=65536,trans=fd,rfd=3,wfd=3) ``` Then the ramsonware would be executed. Yet, if the attacker can run the wsl command to mount the partition, they could have already ran the ramsonware right away, no need to run in circles exploiting other binaries to give them permission they already have. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052495 Title: [MIR] wsl-pro-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052495] Re: [MIR] wsl-pro-service
I reviewed `wsl-pro-service` `0.1.1` as checked into Noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability. For the
sake of completeness, this review will also mention findings reported in
previous GitHub issues and Launchpad comments.
Ubuntu Pro for WSL (abbreviated UP4W) is a set of applications to manage Ubuntu
WSL instances, grant them Pro status, orchestrate instances from Landscape and
manage their lifecycle. It is mostly used in corporate environments.
A user can perform with the UP4W codebase the following steps:
1. Install the "Ubuntu Pro for WSL" from the Microsoft Store
2. Using the minimalist UI or the Windows Registry to attach an Ubuntu Pro token
3. Registering the WSL instances in Ubuntu Pro and Landscape
4. Verifying the status of the Ubuntu Pro token by using the `pro` client
inside the WSL instance, the Landscape client, or the Windows UP4W GUI.
Useful resources to understand the bigger picture are [the landing
page](https://ubuntu.com/desktop/wsl),
[repository](https://github.com/canonical/ubuntu-pro-for-wsl), [public
documentation](https://canonical-ubuntu-pro-for-wsl.readthedocs-hosted.com/en/la
test/#), and Canonical-specific specifications (WS0{25,27,28,31}).
The Windows agent can be installed on Windows via [the Microsoft
Store](https://apps.microsoft.com/detail/9pdxgncfsczv?rtc=1=fr-ch=CH). It
achieves the Windows-specific tasks of the UP4W infrastructure (such as getting
the subscription status from the Microsoft Store and setting the registries'
values), but will not be covered in this review. [Its
implementation](https://github.com/canonical/ubuntu-pro-for-wsl/tree/main/window
s-agent) can also be found on GitHub.
`wsl-pro-service` is a component of the UP4W Windows and Ubuntu infrastructure
owned by the Desktop team. It is meant to be a bridge between the `ubuntu-wsl`
API (interfacing the Windows host with the Ubuntu WSL instance). It is
implemented with a `systemd` service and a minimalistic CLI tool for Bash
completion and version retrieval.
The upstream codebase is in [the `wsl-pro-service` folder of the aforementioned
repository](https://github.com/canonical/ubuntu-pro-for-wsl/tree/main/wsl-pro-se
rvice).
- CVE History
- As this is new software (still in testing), there is no CVE assigned to it.
- Build-Depends
- The build process uses only the Debian toolchain, `debhelper` extensions for
Go and `apport` crash reporting, and the Go toolchain.
- Other dependencies
- The relevant Debian dependencies used when operating the service are:
- `ubuntu-advantage-tools`, which is required for its Ubuntu Pro CLI client;
and
- An optional `landscape-client`.
- The package vendors Go dependencies, which violate the Debian policy.
- These are updated by the upstream using a GHA called
`update-workspace-dependencies`, which is integrated into the
`auto-updates.yaml` workflow.
- In addition, the repository has GitHub's Dependabot set.
- pre/post inst/rm scripts
- The scripts are standard, as generated by `dh_installsystemd`.
- init scripts
- N/A
- systemd units
- There is a `systemd` unit called `wsl-pro-service` that runs
`/usr/libexec/wsl-pro-service -vv` as `root`.
- The service also leverages multiple `systemd` configuration directives to
confine itself as much as possible.
- dbus services
- N/A
- setuid binaries
- N/A
- binaries in PATH
- N/A
- sudo fragments
- N/A
- polkit files
- N/A
- udev rules
- N/A
- unit tests / autopkgtests
- Each Go module is tested accordingly.
- The testing coverage is reported by
[Codecov](https://app.codecov.io/gh/canonical/ubuntu-pro-for-wsl) to be 87%.
- These tests are also integrated into `autopkgtests`.
- cron jobs
- N/A
- Build logs
- N/A
- Processes spawned
- Because of the lack of other IPC methods with other involved binaries, the
service delegates operations to other binaries:
- `pro` for attaching and detaching Ubuntu Pro tokens;
- `wslinfo` for getting information about the WSl instance;
- `landscape-config` for manipulating the Landscape configuration; and
- `wslpath` for Windows-Linux path translations.
- The binaries are specified by name, so they will be searched in `$PATH`. As
the service runs as `root`, there is no risk of path hijacking.
- The commands are built by explicitly specifying the executables (hard-coded)
and their arguments. No instance of command injection was found during this
review.
- Memory management
- N/A
- File IO
- The service operates with the following files:
- `/etc/os-release` for obtaining the OS release;
- `/etc/resolve.conf` for obtaining the configured DNS server;
- `/proc/net/route` for getting the default gateway;
- `/etc/landscape/client.conf` as the Landscape configuration file;
- `/etc/landscape/client.conf.new` as the temporary Landscape configuration
file;
- `$USER_PROFILE/.address` for the address (`:`) of the gRPC
server created by [the Windows
[Bug 2052495] Re: [MIR] wsl-pro-service
Other patches were published in the meantime: - For the second item above, in the `347e747` commit; - Checking for a negative port number, in the `a6784f5` commit; and - Avoiding logging configuration items, in the `518a85` commit. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052495 Title: [MIR] wsl-pro-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052495] Re: [MIR] wsl-pro-service
The fourth item's crash has already been patched in a GitHub PR (https://github.com/canonical/ubuntu-pro-for-wsl/pull/622). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052495 Title: [MIR] wsl-pro-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052495] Re: [MIR] wsl-pro-service
Hi, As multiple security concerns appeared when performing the security review of this package, I had a discussion with Jean and Didier from the owning team. We concluded that reporting these issues before offering the final MIR report would be best. This is because no user is affected (as the package is still in beta), and transparency will catalyse the fixes. The concerns found are as follows: 1. Insecure gRPC communication: Because [`insecure.NewCredentials()`](https://pkg.go.dev/google.golang.org/grpc@v1.62.0/ credentials/insecure) is used in `internal/controlstream/session.go`, the created gRPC connections are unencrypted and unauthenticated. A malicious unprivileged user could make the agent connect the host to a rogue Landscape server, leading to command execution. As discussed with Didier, encryption seems unfeasible due to Windows Defender. A mitigation here will involve authentication (possibly with certificates), ensuring that the communication of the Ubuntu agent will occur only with the trusted Windows service. 2. Information leak in the temporary Landscape configuration file: `/etc/landscape/client.conf.new` is a temporary file created by the Ubuntu service in `internal/system/landscape.go` to store the Landscape configuration. This file can also store sensitive information such as the account-wide registration key, `registration_key`. This could lead to auto-registration of any computer on the Landscape server. As a mitigation, the permission model could be adjusted so that only the Landscape client can read it, not any user. 3. Command execution inside the Windows host: In `internal/system/system.go`, all mounts are iterated and checked for communication with the 9P protocol (which is standard for the second version of WSL). These drives are checked with `s.findCmdExe()` to contain the `cmd.exe` executable. [As USB drives can be made visible inside the WSL instance](https://learn.microsoft.com/en-us/windows/wsl/connect-usb), it may be possible for a rogue `cmd.exe` executable file from a USB drive to be executed. As discussed with Jean and Didier, this assumption should be manually validated. 4. Crash when using IPv6 domain servers: When detecting the address of the Windows host, the agent checks if the NAT mode is used. If so, then the `/etc/resolv.conf` file is parsed in search of `nameserver` entries. If the entry is an IPv6 entry, the address will be concatenated with the port using the `Sprintf` function. The result of this concatenation is ambiguous because it's not using the `[]:` IPv6 notation, further connections may crash. Please see [this](https://github.com/golang/go/issues/28308) proposed Golang vet check. Let me know if there is anything I can assist with in the meantime. Many thanks! ** Bug watch added: github.com/golang/go/issues #28308 https://github.com/golang/go/issues/28308 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052495 Title: [MIR] wsl-pro-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
