Docker Desktop for Windows Incorrect Permission Assignment Vulnerability Allowing Arbitrary Code Execution

Docker Desktop for Windows has been found to contain multiple vulnerabilities related to incorrect permission assignments in the handling of the C:\ProgramData\DockerDesktop directory. The installer creates this directory without proper ownership verification, leading to two potential exploitation scenarios. In the first scenario, a low-privileged attacker can pre-create the directory before Docker Desktop installation, retaining ownership and later modifying the directory's access control list (ACL) to tamper with critical configuration files, such as install-settings.json, to execute arbitrary code when Docker Desktop is used. The second scenario involves a time-of-check-time-of-use (TOCTOU) race condition during installation, where an attacker can inject malicious files into the directory before the installer applies secure ACLs, achieving the same code execution result.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system.