Elevation of Privilege in Docker for Windows

Morgan Roman

In the modern security landscape, researchers often look for complicated bugs and interesting container breakouts, but we often lose sight of the simple bugs. Inside Windows, the folder C:\ProgramData\ and its sub-folders by default are writable by all users. This means if any process that runs as admin or a high privilege user executes anything in ProgramData that doesn’t have the right access controls, then any user can escalate privilege on that machine.

I found this bug and reported this bug on July 5th, 2019. Docker fixed it in their August release.

If you look in ProcMon, you can see that Docker had a lot of interesting file read calls when Docker started:

Notice that docker was looking for docker-credential-wincred.* and unpigz.*

This was interesting because since it was attempting to read a file that did not exist in a ton of file formats, and these all looked like executable file formats. I then opened up PowerShell to just check the access controls:

Yes! It uses the default Windows access controls on that folder!

The first attempt was to drop an executable that would open calculator called unpigz.exe inside that folder. This failed. The reason for this is the docker desktop for Windows program will look for that file, but not execute it. I didn’t know that unpigz was a Linux only tool. The code that causes this is in here https://github.com/moby/moby/blob/de640c9f4932d851316a0a72470c4d3446f6f5ac/pkg/archive/archive.go#L165

The second attempt was to replace ‘docker-credential-wincred.exe’. This worked when the Docker application started and whenever Docker attempted to authenticate! The command ‘docker login’ will find and execute this exe file. I was making calculator run on my machine by typing ‘docker login’ for fun and profit all day.

Folder permissions are important

This is a very simple mistake to make, and can lead to a bad bug. A lot of computer security is just remembering to cross your T’s and dot your I’s. The lesson is to always check your access controls, especially where you load your executable from.

This could have been particularly useful for an attacker to go from minor threat on a machine with limited access, to a full admin. If you were running Docker on a Windows server, it would have let an attacker run code as an admin. Also, since many developers load Docker on their machines, an attacker could potentially use this to escalate privileges on a machine inside a corporate network that you only had limited access on.

Update as of 08/28/2019: This has the CVE ID of CVE-2019–15752 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15752

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade