SRC-2018-0026 : Docker dockerBackend HandleRequestAsync Deserialization of Untrusted Data Elevation of Privilege Vulnerability
Docker for Windows
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Docker for Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within processing of requests set to the NamedPipe dockerBackend. When parsing the request buffer, the process does not properly validate user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.
Docker has issued an update to correct these vulnerabilities. More details can be found at:
- 2018-04-03 - Vulnerability reported to iDefense
- 2018-04-04 - Verified and acquired by iDefense
- 2018-06-19 - Patched by Docker (without credit)
- 2018-07-18 - Docker assigned CVE-2018-15514
- 2018-08-30 - Coordinated public release of advisory
Proof of Concept:
This vulnerability was discovered by Steven Seeley (mr_me) of Source Incite
Source Incite would like to acknowledge iDefense's Vulnerability Contributor Program for the help with co-ordination of this vulnerability.