• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

AI for Cybersecurity: Building Trust in Your Workflows

 | 

Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

 | 

New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

 | 

Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

 | 

'Blue Locker' Ransomware Targeting Oil & Gas Sector in Pakistan

 | 

Hackers exploit Microsoft flaw to breach Canada ’s House of Commons

 | 

Norway confirms dam intrusion by Pro-Russian hackers

 | 

Zoom patches critical Windows flaw allowing privilege escalation

 | 

Manpower data breach impacted 144,180 individuals

 | 

U.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical FortiSIEM flaw under active exploitation, Fortinet warns

 | 

Charon Ransomware targets Middle East with APT attack methods

 | 

Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

 | 

SAP fixed 26 flaws in August 2025 Update, including 4 Critical

 | 

August 2025 Patch Tuesday fixes a Windows Kerberos Zero-Day

 | 

Dutch NCSC: Citrix NetScaler zero-day breaches critical orgs

 | 

Chrome sandbox escape nets security researcher $250,000 reward

 | 

Smart Buses flaws expose vehicles to tracking, control, and spying

 | 

MedusaLocker ransomware group is looking for pentesters

 | 

Google confirms Salesforce CRM breach, faces extortion threat

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Experts found a Privilege escalation issue in Docker Desktop for Windows

Experts found a Privilege escalation issue in Docker Desktop for Windows

Pierluigi Paganini May 22, 2020

A severe privilege escalation vulnerability, tracked as CVE-2020-11492, has been addressed in the Windows Docker Desktop Service. 

Cybersecurity researchers from Pen Test Partners publicly disclosed a privilege escalation vulnerability in the Windows Docker Desktop Service. 

The CVE-2020-11492 issue affects the way the service uses named pipes when communicating as a client to child processes. 

“Docker Desktop for Windows suffers from a privilege escalation vulnerability to SYSTEM.  The core of the issue lies with the fact that the Docker Desktop Service, the primary Windows service for Docker, communicates as a client to child processes using named pipes.” reads the analysis published by Pen Test Partners.

“The high privilege Docker Desktop Service can be tricked into connecting to a named pipe that has been setup by a malicious lower privilege process.  Once the connection is made, the malicious process can then impersonate the Docker Desktop Service account (SYSTEM) and execute arbitrary system commands with the highest level privileges.”

Experts discovered that the Docker Desktop Service can be tricked by attackers into connecting to a named pipe that has been set up by a malicious lower privilege process. Then the process can impersonate the Docker Desktop Service account and execute arbitrary commands with the highest privileges.

Upon installing Docker Desktop for Windows, a service called Docker Desktop Service is installed and runs by default, waiting for the Docker Desktop application to start.

Once the Docker software is started it will create several child processes to manage several functions such as process monitoring and image creation. Windows OS uses pipes for inter-process communication (IPC).

Named pipes could allow the server side of the connection to impersonate the client account who is connecting.  The impersonation functionality allows the service to drop its credentials in favour of the connecting client.  Experts pointed out that when restricted operating system functionalities and files are requested, the action is performed under the impersonated account and not the service account that the process was launched under.

This specific right is dubbed “Impersonate a client after authentication,” and is assigned to specific accounts by default including admin, network service, IIS App Pool, and Microsoft SQL Server Account.

“By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started.” continues the post.

“Anything started by the Service Control Manager will automatically get the impersonation privilege, no matter which account is used to start the service.“

Experts discovered that an attacker that is able to execute code under the context of a process with the above privileges, could set up a malicious pipe to compromise the software and elevate their privileges to system-level. 

Experts pointed out that attackers need Administrator rights to create such a service.

“Let’s say you happen to be hosting a vulnerable IIS Web Application on the same machine as Docker for Windows,” continues the analysis.”This could be one example of a successful attack vector. The initial attack vector could utilize a vulnerability in the web application to perform code execution under the limited IIS App Pool account.”

The researchers sent the details to the Docker security team on March 25, that initially said impersonation is a Windows feature and reported the issue to Microsoft.

Experts provided a Proof-of-Concept (PoC) to Docker that finally acknowledged it on April 1. 

On May 11, Docker released version 2.3.0.2 that addresses the vulnerability.

“After a few emails back and forth, then finally submitting a working PoC, Docker did agree that it was a security vulnerability and as such have now issued a fix.  When the Docker service process connects to the named pipes of spawned child processes it now uses the SecurityIdentification impersonation level.  This will allow the server end of the pipe to get the identity and privileges of the client but not allow impersonation.” Pen Test Partners concludes.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Windows, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Docker Hacking information security news it security it security news Pierluigi Paganini privilege escalation Security Affairs Security News

you might also like

Pierluigi Paganini August 18, 2025
AI for Cybersecurity: Building Trust in Your Workflows
Read more
Pierluigi Paganini August 18, 2025
Human resources firm Workday disclosed a data breach
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    AI for Cybersecurity: Building Trust in Your Workflows

    Security / August 18, 2025

    Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

    APT / August 16, 2025

    New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

    Malware / August 15, 2025

    Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

    Security / August 15, 2025

    'Blue Locker' Ransomware Targeting Oil & Gas Sector in Pakistan

    Malware / August 15, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT