3

I forgot my Ubuntu user's password in WSL, but I was able to reset it by:

  • Opening a CMD shell
  • wsl -u root, then (inside Ubuntu), passwd my_username

I was able to change my password without providing my old password. It worked, but isn't this a vulnerability in terms of security? I am actually new in Linux/Unix, so this question came to mind ...

NotTheDr01ds
  • 17,888
Ommm
  • 51
  • 1
  • 2
  • 4

1 Answers1

6

It's a good question -- Regardless of how new or experienced you are, assessing the security of your system is a valuable exercise, IMHO.

I've personally thought many times about this (and slightly different forms of this) particular question myself, but I haven't yet found a clear attack vector for which this capability could be exploited.

There are several things to keep in mind here:

  • Your WSL instance runs with your Windows user's permissions.

    Even when you are running as root inside Ubuntu, you cannot make changes to any file in Windows that your normal Windows user wouldn't be able to. For instance:

    • You can delete or modify files in /mnt/c/<your_Windows_user>/Documents through WSL (as either root or your normal user)
    • You cannot modify system files or executables like /mnt/c/Windows/gdi32.dll, since you wouldn't be able to do that even through File Explorer unless you ran in an Administrative session (don't do that!).

    Again, this is no different than what your normal Windows user can (and can't) do already.


  • Your Windows user has complete control over Ubuntu in WSL (and any other distribution).

    This is similar to how things would work with a VM or any container technology. Since you are the Windows user who is running WSL, you already have the ability to:

    • Install a new Ubuntu instance in WSL, set a username, etc.
    • Delete the Ubuntu instance via the wsl --unregister command (don't do this!)
    • Have complete access to the virtual drive (.vhdx), could copy it to another machine, examine it, modify it, etc.
    • And, as you've discovered, change the password for a user by running as root (with no password needed).

    Because you are the Windows user who is running WSL, you already can do anything you want with it. There's simply no reason for WSL to require you to "log in" with a password to Ubuntu.

    There are other similar scenarios that exist even within "pure Ubuntu" -- Running a Docker or Podman (or other) container gives you complete control over that container. You can create users inside that container, create or delete files, etc. You don't need a password when you start an Ubuntu Docker container as root inside Docker (et. al.); just like you don't need a password when you start Ubuntu as root on WSL.


The reality is that, if an attacker gains enough access to your system to run arbitrary code as your Windows user, they've already "won", regardless of whether or not they get access to Ubuntu running inside it. Forcing you to use a password to "login" to Ubuntu in WSL (whether as root or another user) wouldn't add any additional defenses in this scenario.

NotTheDr01ds
  • 17,888
  • +1 An excellent answer. – user535733 Oct 19 '22 at 02:35
  • also, you can use disk encryption, if you're worried about this happening. don't think it would work with WSL, but same "attack" can be used on windows too, if you have access to the disk, your password can be reset and all files can be read. unless, there's disk encryption. then you must have the password – Cagri Oct 19 '22 at 14:55
  • There is another problem: WSL is vulnerable to code running inside WSL! By default you can run wsl.exe -u root from within WSL. – pabouk - Ukraine stay strong Dec 07 '22 at 08:41
  • @pabouk-Ukrainestaystrong Right - When I say that I've thought about "slightly different forms of this particular question", that's one of the scenarios to which I'm referring. Yes, you can run wsl.exe -u root from inside WSL to elevate privileges, but how does that change the attack vector? If the attacker has access to the Host, they have access to the Client, but not necessarily vice-versa. Running as root in WSL still does not elevate Windows privileges. – NotTheDr01ds Dec 11 '22 at 00:49