Naked Security Naked Security

Docker Desktop danger discovered, patch now

Docker has fixed a vulnerability that could have allowed an attacker to gain control of a Windows system using its service.

Docker has fixed a vulnerability that could have allowed an attacker to gain control of a Windows system using its service. The bug, discovered by Ceri Coburn, a researcher at security consultancy Pen Test Partners, exposed Docker for Windows to privilege elevation.
Docker is a container system that lets administrators run applications in their own environments. Containers are a little like virtual machines, but instead of recreating a whole operating system in software, they share a lot of the host OS’s underlying resources. That makes them smaller and more nimble than virtual machines (VMs).
There are two Docker components running under Windows that are important to this vulnerability: Docker Desktop Service (DDS) and Docker Desktop for Windows (DDW). DDS runs in the background, while DDW is the the control panel that lets admins manage their containers.
When DDW opens, it spawns a lot of child processes in Windows that support container management. DDS connects to these child processes using a Windows mechanism called a pipe that allows different processes to communicate with each other.
DDS operates under a SYSTEM account in Windows which is a very high-privilege account. An attacker gaining access to a SYSTEM account gets the keys to the kingdom.
The vulnerability that Pen Test Partners found uses a Windows feature called impersonation. It allows the server side of a process to impersonate the client side. That’s because client processes often need the server process to carry out system tasks in their name.


Not all accounts have this impersonation privilege. According to Coburn, anything started under a Windows Service account does.
This means that an attacker who can cause the system to start a process under a Service account could manipulate DDS, taking advantage of its SYSTEM account privilege. If the process used a name that DDS would normally connect to, then after the connection was made it could drop its own credentials and use the DDS credentials instead. Coburn explained:

Once docker is connected, we impersonate the connecting client, which is SYSTEM, and launch a new process using the CreateProcessWithTokenW API.

CreateProcessWithTokenW is a Win32 API that lets you create new processes.
You’d need to have already compromised a system to create such an account, pointed out Coburn, but explained that a user could get in by manipulating a vulnerable web application in IIS (Microsoft’s web server), which could well be running on the same machine. That would make this a potentially useful exploit as part of a chained attack that strings multiple exploits together to first gain a foothold and then elevate privilege.
Docker was less than helpful to begin with, according to Coburn, who said:

When initially disclosing, Docker denied that the vulnerability even existed. Their stance was that impersonation is a Windows feature and that we should speak to Microsoft.

He persisted, though, arguing that developers should turn off the impersonation feature if they’re developing SYSTEM services that interact with named pipes as a client. Docker declined twice and then tried to run the proof of concept code under an account without impersonation privileges, so Coburn sent instructions on how to duplicate the problem. At that point, the company confirmed the bug, releasing the fix on 11 May in version 2.3.0.2.
The bug has the CVE 2020-11492, which was listed as ‘reserved’ at the time of writing.

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.