In this talk, we’ll show how Windows container research took a different turn, and we found multiple insecure APIs through a named pipe that led to numerous privilege escalation vulnerabilities.
Before we jump into the vulnerabilities, we’ll explain how Docker Desktop creates an environment for Windows containers and cover its named pipes.
We’ll show the research process to find an interesting named pipe that exposed large API functions. We will show how we exploited some of the API functions and how we were able to gain a full privilege escalation to NT\System.
We’ll finish by demonstrating (a live demo) how an attacker with low privileges can get a SYSTEM shell and summarize how it was fixed.
This research yields six vulnerabilities, 2 of them are full privilege escalation from low user to SYSTEM, the rest are arbitrary read\write LPEs.