By: Saar Amar

Scheduled on: February 4 at 10:00

WSL (Windows Subsystem for Linux) is an impressive mechanism integrated recently into the Windows 10 kernel. This subsystem allows Linux executables to run without modifications on a Windows machine, using the same system calls, file system layout and executable format — an enormous attack surface by all means. Like any other new, large, and complex codebase, it is a greenfield for vulnerability researchers, hindered only by the lack of documentation, and by a single massive .sys file just waiting to be reverse engineered.

This talk will cover the story behind one such vulnerability. On our path to its root cause, we will go down the rabbit hole and explore an astounding engineering project on Microsoft’s part, juggling between the internals of two completely different operating systems. At its end, we will showcase a Linux executable that can invoke a series of syscalls and overwrite Windows kernel memory. The entire kernel memory, as in a wild-copy. Not the simplest primitive to kick things off.

But no vulnerability is complete without an exploit. With recent advances in anti-exploitation, this isn’t an easy task at all. Between saving the kernel from crashing itself and bypassing every defensive mechanism, there is much more than a single hoop to jump through. We will demonstrate the different primitives and tricks to stabilize such memory corruption and finally achieve arbitrary code execution in modern Windows 10 kernels. All from a single Linux executable.