Containers

an offensive look at docker desktop extensions

30 May 2023 ~28 min By Leon Jacobs

Containers Docker Command Injection Extensions Sensecon

For our annual internal hacker conference dubbed SenseCon in 2023, I decided to take a quick look at Docker Desktop Extensions. Almost exactly a year after being announced, I wondered what the risks of a malicious docker extension could be. This is a writeup of what I learned, a few tricks I used to get some answers and how I found a “non-issue” command injection in the extensions SDK. Everything in this post was tested on macOS and Docker Desktop 4.19.0 (106363).

Containers
Docker
Command Injection
Extensions
Sensecon

Page 1 of 1