
You can't contain me: elevation-of-privilege vulnerability in Docker for Windows - ingve
https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html
======
nneonneo
On Linux, at least, being able to access the docker daemon (i.e. being in the
docket group) is essentially equivalent to being root, in that there are
trivial ways to become root if you can start an arbitrary container (e.g.
bind-mounting / into a container).

So, it’s perhaps unclear how this exploit is significantly worse. Yes, you get
access to SYSTEM, but Docker’s permission model appears to be predominantly
“if you can control Docker then you own the machine”. Is this not the case on
Windows?

~~~
derefr
If you can control Docker, you can do what Docker does. But Docker doesn’t
need to be able to do everything (as long as you’re sure that you’ll never
need to run a container that needs to do those things.) Specifically, you can
run the Docker daemon itself under any combination of cgroup+namespace
restrictions (i.e. “in a container”, though not usually in the sense of
running Docker in Docker.)

~~~
TheDong
> you can run the Docker daemon itself under any combination of
> cgroup+namespace restrictions

Not really though. The docker daemon needs access to the mount call, so it
either must be root or root within its namespace.

It's incredibly difficult to remove any meaningful permissions from the docker
daemon.

This is true to run any container, not just one that has bindmounts.

The docker daemon was not built to be anything but root, and running it as
"docker in docker" only works with "\--privileged", which is to say, with no
security restrictions.

------
shshhdhs
> Docker at first denied a vulnerability existed at all, but later patched it
> on July 19th. After further discussions, they assigned CVE-2018-15514 on the
> 18th August.

It’s frustrating that this is the default reaction. I know why it occurs, at
least from a human psychological standpoint, but it’s still frustrating. I’ve
reported vulnerabilities without response, only to find them thanklessly fixed
later. Without reply. But most of the time, my notifications are ignored. It
becomes depressing very quickly.

~~~
jlawson
Are there possible legal consequences to acknowledging such a report, though?
Maybe it's not just psychological, but a CYA move.

~~~
Kalium
Generally no, there is minimal liability attached to acknowledging a report.
There may be internal political issues and definitely external media ones,
though.

Nobody wants to be the person who says "We're vulnerable, but I don't care
enough to fix it". That's how you get internal political battles. Denial
solves that problem.

When dealing with external reports, it means ammunition for dealing with third
parties. "We are not aware of any such vulnerabilities" becomes a defensible
position, as does telling reporters that you dispute the claims of
vulnerability. Those buy time to _maybe_ fix something.

And, well, there's the CYA psychology too. Nobody wants to confront the idea
that they, or their smart and hard-working coworkers, screwed up to the point
of creating a significant vulnerability.

------
anyzen
What is that about?

    
    
        - 2018-04-03 - Verified existing and sent to iDefense’s VCP
        - 2018-04-04 - Validated and acquired by iDefense
    

Is there a company that buys information about bugs ahead of time so they can
protect their clients?

(a cursory Internet search didn't answer my question)

~~~
rhplus
_Is there a company that buys information about bugs ahead of time so they can
protect their clients?_

Companies like Zerodium act as brokers for 0-day exploits, but they tend to
sell only to government agencies and the like.

[https://zerodium.com/about.html](https://zerodium.com/about.html)

~~~
anyzen
And iDefense is doing something similar?

~~~
dewey
They are more "security alerts as a service":

[https://searchsecurity.techtarget.com/feature/VeriSign-
iDefe...](https://searchsecurity.techtarget.com/feature/VeriSign-iDefense-
Threat-intelligence-services-overview)

