New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Broken with windows firewall #722

Closed
cartel0x27 opened this Issue Aug 3, 2016 · 14 comments

Comments

Projects
None yet
8 participants
@cartel0x27
Copy link

cartel0x27 commented Aug 3, 2016

With Windows Firewall set to 'outbound rules that do not match a rule are denied', it's impossible to create a rule to allow bash-on-windows to do anything with the network.

  • Expected results: connect to the network
  • Actual results:
    telnet: Unable to connect to remote host: Permission denied
  • Your Windows build number: 1607
  • Steps / commands required to reproduce the error
    Configure Windows Firewall as above
    Try to connect or do anything with the network
    Try to configure windows firewall to allow the bash process - it doesn't exist so there's no way to create a rule
  • Strace of the failing command
    execve("/usr/bin/telnet", ["telnet", "192.168.191.53", "53"], [/* 19 vars /]) = 0
    brk(0) = 0x1edd000
    access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
    mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5699d50000
    access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
    open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=18732, ...}) = 0
    mmap(NULL, 18732, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5699d4b000
    close(3) = 0
    access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
    open("/usr/lib/x86_64-linux-gnu/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3
    read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \266\5\0\0\0\0\0"..., 832) = 832
    fstat(3, {st_mode=S_IFREG|0644, st_size=979056, ...}) = 0
    mmap(NULL, 3159040, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f56996f0000
    mprotect(0x7f56997d6000, 2093056, PROT_NONE) = 0
    mmap(0x7f56999d5000, 40960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xe5000) = 0x7f56999d5000
    mmap(0x7f56999df000, 82944, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f56999df000
    close(3) = 0
    access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
    open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
    read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\37\2\0\0\0\0\0"..., 832) = 832
    fstat(3, {st_mode=S_IFREG|0755, st_size=1840928, ...}) = 0
    mmap(NULL, 3949248, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5699320000
    mprotect(0x7f56994db000, 2093056, PROT_NONE) = 0
    mmap(0x7f56996da000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ba000) = 0x7f56996da000
    mmap(0x7f56996e0000, 17088, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f56996e0000
    close(3) = 0
    access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
    open("/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
    read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20V\0\0\0\0\0\0"..., 832) = 832
    fstat(3, {st_mode=S_IFREG|0644, st_size=1071552, ...}) = 0
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5699d40000
    mmap(NULL, 3166568, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5699010000
    mprotect(0x7f5699115000, 2093056, PROT_NONE) = 0
    mmap(0x7f5699314000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x104000) = 0x7f5699314000
    close(3) = 0
    access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
    open("/lib/x86_64-linux-gnu/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3
    read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260
    \0\0\0\0\0\0"..., 832) = 832
    fstat(3, {st_mode=S_IFREG|0644, st_size=90160, ...}) = 0
    mmap(NULL, 2186016, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5698df0000
    mprotect(0x7f5698e06000, 2093056, PROT_NONE) = 0
    mmap(0x7f5699005000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f5699005000
    close(3) = 0
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5699d30000
    mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5699d20000
    arch_prctl(ARCH_SET_FS, 0x7f5699d20780) = 0
    mprotect(0x7f56996da000, 16384, PROT_READ) = 0
    mprotect(0x7f5699314000, 4096, PROT_READ) = 0
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5699d10000
    mprotect(0x7f56999d5000, 32768, PROT_READ) = 0
    mprotect(0x614000, 4096, PROT_READ) = 0
    mprotect(0x7f5699c22000, 4096, PROT_READ) = 0
    munmap(0x7f5699d4b000, 18732) = 0
    brk(0) = 0x1edd000
    brk(0x1f02000) = 0x1f02000
    rt_sigaction(SIGTSTP, {0x40b6c0, [TSTP], SA_RESTORER|SA_RESTART, 0x7f5699356d40}, {SIG_DFL, [], SA_RESTORER, 0x7f39ea026d40}, 8) = 0
    ioctl(0, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
    rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
    fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 1), ...}) = 0
    ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5699d00000
    write(1, "Trying 192.168.191.53...\n", 25Trying 192.168.191.53...
    ) = 25
    close(-1) = -1 EBADF (Bad file descriptor)
    socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
    setsockopt(3, SOL_IP, IP_TOS, [16], 4) = 0
    connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.191.53")}, 16) = -1 EACCES (Permission denied)
    dup(2) = 4
    fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
    fstat(4, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 1), ...}) = 0
    ioctl(4, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5699cf0000
    lseek(4, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
    write(4, "telnet: Unable to connect to rem"..., 60telnet: Unable to connect to remote host: Permission denied
    ) = 60
    close(4) = 0
    munmap(0x7f5699cf0000, 4096) = 0
    close(3) = 0
    exit_group(1) = ?
    +++ exited with 1 +++
  • Required packages and commands to install
    just bash
@aseering

This comment has been minimized.

Copy link
Contributor

aseering commented Aug 3, 2016

@pnegry -- thanks for reporting this! I'm curious -- have you tried creating a blanket outbound rule (for a specific port but not tied to any particular application)?

@cartel0x27

This comment has been minimized.

Copy link
Author

cartel0x27 commented Aug 3, 2016

It works if i set the firewall to 'outbound connections that do not match a rule are allowed', otherwise, I get 'permission denied'.
Edit: it seems to work if i have a corresponding inbound rule, but this is not really an acceptable solution.

@VarunAgw

This comment has been minimized.

Copy link

VarunAgw commented Aug 7, 2016

Same here :(

@romanlum

This comment has been minimized.

Copy link

romanlum commented Aug 7, 2016

+1
I have installed adavanced windows firewall control and it pops up with process name pico. I cannot add a permanet rule for pico because it is a virtual process.

Please extend windows firewall to support pico processes

@VarunAgw

This comment has been minimized.

Copy link

VarunAgw commented Aug 7, 2016

Edit: it seems to work if i have a corresponding inbound rule, but this is not really an acceptable solution

@pnegry Just curious what you meant by this? Maybe this is something I can try.

@foxx1337

This comment has been minimized.

Copy link

foxx1337 commented Aug 11, 2016

#475 is pretty much the same issue. Apparently latest AVG, as stated there by @zbtlxjxi, supports these pico processes.

@cartel0x27

This comment has been minimized.

Copy link
Author

cartel0x27 commented Oct 3, 2016

To clarify, with Windows Firewall outbound set to 'block', specific rules are required based on destination ports, which obviously compromises security as it permits any application to use those ports. AFAICT, the WSL team has written some kind of draft for how to deal with this, and is running it past the Windows Defender team (which Windows Firewall sits under), before it gets finalised and is released to the other AV vendors as the 'official' way to do things. Good on WSL team for recognising this as a serious issue.

@cartel0x27

This comment has been minimized.

Copy link
Author

cartel0x27 commented Apr 3, 2017

Hello again, started a new issue #1852 to get an update on what has happened for Redstone 2.

@tara-raj

This comment has been minimized.

Copy link
Member

tara-raj commented Jun 5, 2018

Fixed in Insiders Build 17627

@tara-raj tara-raj closed this Jun 5, 2018

@VarunAgw

This comment has been minimized.

Copy link

VarunAgw commented Jun 5, 2018

@tara-raj I have a quick question about it. I saw the release notes. But is it possible to whitelist the whole WSL at once (instead of choosing each process manually)?

@benhillis

This comment has been minimized.

Copy link
Member

benhillis commented Jun 5, 2018

@VarunAgw - No that is not possible. At that point you are essentially disabling your firewall.

@VarunAgw

This comment has been minimized.

Copy link

VarunAgw commented Jun 5, 2018

@benhillis That's unfortunate. But it makes sense for many use cases to treat WSL as single application (like virtualbox vm)

@therealkenc

This comment has been minimized.

Copy link
Collaborator

therealkenc commented Jun 6, 2018

@VarunAgw

WSL as single application (like virtualbox vm)

The analogy doesn't hold because VirtualBox has (a) it's own network namespace and (b) has privilege separation on the applications inside. WSL does not.

Whitlisting (say) /usr/bin/node is the same as whitelisting C:\Users\you\node\bin\node.exe. They are both owned by user you, and require no Windows privilege escalation to replace. Contrast whitelisting (say) C:\WINDOWS\System32\sshd, which user you cannot modify.

@VarunAgw

This comment has been minimized.

Copy link

VarunAgw commented Jun 7, 2018

@therealkenc I know there are different things, but it's nice to be able to have similar behaviour with WSL too (just me 2 cent). I don't care about details, but as an end user, personally I would find really awesome if I could create a single rule for pico process, and it would whitelist all pico processes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment