Full Report
Docker is a containization platform used all around. I knew use it to host the Spokane Cyber Cup! Docker was ported from Linux to Windows with a completely different under-the-hood implementation because of the differences between the OS's. The flow of the service is below: DockerDesktop.exe->com.docker.service-> docker engine (dockerd)->container The service communicates using named pipes. This consists of one or more client pipes to one server pipe. Instead of analyzing the code, they used IO Ninja to read the named pipes communication patterns. The author of this post created a new Pipe Viewer for more rich information on the pipes, such as permissions. The named pipe dockerBackendV2 is created by the service com.docker.service. The pipe resolver communication uses a REST API while running as SYSTEM. The permissions allows a low-privilege user to make calls to this pipe. By calling this API, it's possible to mount to arbitrary locations using the service! The previous issue was known by the Docker team and kind of fixed. They found another function though: move-data-folder. This will copy data from one folder into another folder, without restriction, using the SYSTEM user. With an arbitrary file write vulnerability, a simple DLL hijacking will give us a system shell. Windows File Protection was causing problems though. They were able to bypass this using an indirect directory and junctions. Overall, good post on how simple bugs can be found once you understand a complex architecture.
Analysis Summary
# Vulnerability: Docker Desktop Privilege Escalation via Arbitrary File Copying (Move Data Folder)
## CVE Details
- **CVE ID:** CVE-2022-25365 (This is the identifier mentioned for the full privilege escalation, which appears to be a fix for an incomplete remediation of CVE-2022-23774).
- **CVSS Score:** Not explicitly provided in the summary, but the impact (SYSTEM shell via arbitrary file write) suggests a **High** severity score.
- **CWE:** Based on the description, this likely involves CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) or a path traversal issue leading to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')).
## Affected Systems
- **Products:** Docker Desktop for Windows.
- **Versions:** Versions prior to the patch addressing CVE-2022-25365. (Specific vulnerable versions are not detailed in the provided text).
- **Configurations:** The issue stems from communication over the `dockerBackendV2` named pipe, accessible by a low-privilege user.
## Vulnerability Description
The vulnerability resides in the communication path between client pipes and the server pipe, specifically involving the `com.docker.service` which hosts the pipe resolver communication using a REST API running with `SYSTEM` privileges.
Researchers identified a function, `move-data-folder`, which was intended to copy data between folders but lacked proper restrictions on destination paths. This function, executed by the `SYSTEM` user, allows a low-privilege user to trigger an arbitrary file write operation by specifying arbitrary source and destination folders.
The chosen exploitation path involved achieving an arbitrary file write, followed by a DLL hijacking technique to execute code as `SYSTEM`. Windows File Protection posed a challenge, which was bypassed using an indirect directory and junction points.
## Exploitation
- **Status:** PoC available (Implied, as researchers successfully achieved a SYSTEM shell).
- **Complexity:** Medium (Requires understanding the complex Docker architecture, pipe communication patterns, and bypassing mitigations like Windows File Protection).
- **Attack Vector:** Local (Requires the attacker to have a low-privilege user session on the host).
## Impact
- **Confidentiality:** High (Potential access to sensitive system files/information via arbitrary file operations).
- **Integrity:** High (Ability to overwrite critical system files).
- **Availability:** High (Potential for system disruption via file operations).
## Remediation
### Patches
- Patches addressing **CVE-2022-25365** have been released by Docker. Users should update to the patched version to resolve the vulnerability arising from the incomplete fix for CVE-2022-23774.
*(Specific patch version numbers are not provided in the source text.)*
### Workarounds
- Strictly monitor or restrict which user accounts are permitted to interact with Docker services and named pipes from low-privilege contexts if updating is not immediately possible.
## Detection
- **Indicators of compromise:** Look for unusual file writes or modifications within system or Docker installation directories originating from the `com.docker.service` process running as `SYSTEM`.
- **Detection methods and tools:** Use tools designed to monitor named pipe interactions (like the mentioned PipeViewer tool) for anomalous calls to the `dockerBackendV2` pipe, especially those related to data movement or directory operations by unprivileged users. Monitoring for successful DLL hijacking attempts would also be relevant.
## References
- Vendor advisory related to CVE-2022-25365 and CVE-2022-23774 (Search for Docker Desktop Security Advisory).
- CyberArk Blog Post: hxxps: / / www[.]cyberark[.]com/blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-1/
- Researcher Tool: PipeViewer (hxxps: / / github[.]com/cyberark/PipeViewer)