« Back to home

Windows Server 2016 / Docker Privilege Escalation

Posted on

After catching Microsoft's talk at DockerCon discussing the recent addition of Docker container support in Windows Server 2016, I wanted to play around with the technology with the aim of understanding how this could be leveraged during a security assessment.

Before starting, I first had to configure Windows Server to support Docker containers. This was pretty painless using the following steps:

  1. Install Windows Server 2016
  2. Install the latest patches
  3. Install "Containers" as a feature on the server
  4. Follow “Install Docker” steps from the MSDN Quick Start guide

Once Docker had been installed, I found that by default only a member of the Administrators group (utilising a UAC elevated command prompt) was able to interact with the Docker named pipe (\\.\pipe\docker_engine) which is used to control the Docker service.

For example, if we are authenticated as a user who is not within the Administrators group, we receive the following error upon issuing the "docker version" command:

error during connect: Get http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.25/version: open //./pipe/docker_engine: Access is denied.

As documented by Microsoft here, it is possible to modify the permissions required to access the Docker service. By creating a file named "daemon.json" within "%programdata%\docker\config", we can specify the group a user is required to be a member of in order to interact with Docker, for example:

{
  "group" : “Users"
}

Reviewing the access rights on the "%programdata%\docker\config" directory, we find the following permissions are used by default upon install:

C:\ProgramData\docker\config NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
                         BUILTIN\Administrators:(OI)(CI)(ID)F
                         CREATOR OWNER:(OI)(CI)(IO)(ID)F
                         BUILTIN\Users:(OI)(CI)(ID)R
                         BUILTIN\Users:(CI)(ID)(special access:)
                           FILE_WRITE_DATA
                           FILE_APPEND_DATA
                           FILE_WRITE_EA
                           FILE_WRITE_ATTRIBUTES

Most notably, the "BUILTIN\Users" group is permitted to add files to the directory. This means as a low privileged user, we can create a "daemon.json" file as above, allowing low privileged users to interact with the Docker service.

Note: For the configuration changes to take effect, the Docker service needs to be restarted, or the operating system restarted.

At this point, exploitation is similar to that of the Linux Docker environment. For example, we can mount volumes within the Docker container using the following command:

docker -it -v C:\Users\Administrator:C:\vuln microsoft/nanoserver cmd.exe 

Executing this command, cmd.exe will be launched inside a Docker container with read/write access to the C:\Users\Administrator directory on the host operating system via C:\vuln.

A short POC demonstration is available which shows exploitation from beginning to end:

I'd like to thank Microsoft and Docker for their communication and effort throughout the remediation process.

For any users affected, the following steps have been taken by Microsoft and Docker to remediate this issue:

  • v1.13-rc Docker builds have been fixed.
  • A pull request can be found here which shows the applied fix.
  • A Powershell script is currently being developed which checks ACL's on previous deployments of Docker here.

Disclosure Timeline

  • 3rd November 2016 - Initial disclosure to Microsoft MSRC
  • 3rd November 2016 - Confirmation from Microsoft, assigning case number
  • 14th November 2016 - Microsoft confirm that they are working directly with Docker to fix
  • 10th January 2017 - Microsoft confirm fix has been shipped in Docker v1.13-rc builds