Full Report
For our annual internal hacker conference dubbed SenseCon in 2023, I decided to take a quick look at Docker Desktop Extensions. Almost exactly a year after being announced, I wondered what the risks of a malicious docker extension could be. This is a writeup of what I learned, a few tricks I used to get some answers and how I found a “non-issue” command injection in the extensions SDK. Everything in this post was tested on macOS and Docker Desktop 4.19.0 (106363).
Analysis Summary
# Tool/Technique: Docker Desktop Extensions (Malicious Context)
## Overview
This analysis investigates the security risks associated with malicious Docker Desktop Extensions, focusing on their architecture, communication mechanisms, privilege levels, and potential for arbitrary code execution on the host system (specifically tested on macOS). The core finding is that extensions present a significantly higher risk profile for command execution and file access compared to traditional containers.
## Technical Details
- Type: Technique/Architectural Vulnerability Assessment
- Platform: macOS, Docker Desktop 4.19.0 (106363)
- Capabilities: Arbitrary OS command execution, potential for host file access, persistence via hidden service containers (`VM's`).
- First Seen: Analysis presented at SenseCon 2023 (May 2023).
## MITRE ATT&CK Mapping
The identified risks map to several core adversary tactics:
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- **TA0003 - Persistence**
- T1543 - Create or Modify System Process
- T1543.003 - Create or Modify System Process: Windows Service (Conceptual mapping for persistent service containers)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Due to obscurity of service container auditing)
- T1070.004 - Indicator Removal: File Deletion (Potential hidden artifact removal)
## Functionality
### Core Capabilities (as exploited/discovered)
- **Arbitrary Operating System Command Execution:** Confirmed bug allowing extensions to execute commands directly on the host system, even without specific binaries shipped in the extension payload. This was found related to the `docker.cli.exec()` function within the SDK.
- **Hidden Persistence Mechanism:** Extension service "VMs" (which run as containers) do not appear in `docker ps`, but are visible via `docker extension ls`. This allows malicious code to run persistently in an environment potentially invisible to standard security monitoring tools inspecting running processes or standard containers.
- **Elevated Privileges:** Extension service containers can be configured via their `docker-compose.yml` file to use elevated privileges, expose host ports, or mount volumes, granting access beyond typical container restrictions.
### Advanced Features
- **Hidden Service Inspection:** Advanced ability required to gain shell access within the hidden extension service containers by leveraging namespace operations (`docker run --pid=host`, `lsns`, and `nsenter`) to enter the target container's PID namespace from the Docker Desktop VM host.
- **Direct Installation Bypass:** Extensions do not need to be published on the official Marketplace; any well-formed container image can be installed as an extension using `docker extension install`.
## Indicators of Compromise
*Note: Specific IOCs for a general threat were not detailed in the summary, but the focus is on **behavioral and structural IOCs**.*
| Indicator Type | Description |
| :--- | :--- |
| **File/Artifact IOCs** | Presence of extension metadata, `docker-compose.yml` files, and UI component folders related to unverified extensions within the Docker Desktop installation directory structure. |
| **Network Indicators** | N/A (Focus is on local execution and privilege escalation within the VM boundary). |
| **Behavioral Indicators** | Unsanctioned invocation of host binaries initiated via the Docker Desktop extension backend/service container. Service containers running but not listed by `docker ps`. |
## Associated Threat Actors
- No specific threat actor groups were named; the findings relate to potential risks introduced by any malicious actor deploying non-vetted extensions.
## Detection Methods
- **Behavioral Detection:** Monitoring system calls originating from processes associated with the Docker Desktop VM/extension management layer that attempt to execute arbitrary host commands or access sensitive file paths.
- **Process Auditing:** Employing tools capable of tracking processes running within the Docker Desktop Virtual Machine's namespaces (e.g., monitoring namespace context changes).
- **Architectural Visibility:** Recognizing that standard container auditing tools (`docker ps`) are insufficient for monitoring extension service workloads. Requires investigation using `docker extension ls` followed by namespace inspection (`nsenter`).
## Mitigation Strategies
- **Verify Source and Open Source:** Only install extensions from trusted sources. Prioritize reviewing the source code for extensions, as the UI does not fully disclose backend capabilities.
- **Principle of Least Privilege:** Developers must minimize the required privileges (`port`, `volume`, `privilege` labels) in the extension's `docker-compose.yml`.
- **Marketplace Transparency:** A strong need for a permission overview system in the Marketplace, similar to mobile operating systems, detailing required host access capabilities upon installation.
- **Patching:** Ensure Docker Desktop is kept up-to-date, as the paper confirms a command injection bug that was slated to be fixed.
## Related Tools/Techniques
- Malicious Use of Legitimate Software (Adversary can piggyback on Docker Desktop's trusted status).
- Container Escape Techniques (Exploiting elevated privileges to break out of the service container context).