# CVE-2025-9074 – Docker Desktop (Windows) Container→Host Write via Exposed Engine API
**Author:** w01f
**Status:** Proof-of-Concept (educational / authorized testing only)
## Overview
This project demonstrates a PoC for **CVE-2025-9074**, a misconfiguration/exposure in certain versions of **Docker Desktop for Windows** where the Docker Engine **HTTP API** at `http://192.168.65.7:2375` is reachable from containers (and sometimes via SSRF), allowing an attacker to create a container with a **bind mount** to the Windows host drive and write files to the host.
> ⚠️ Use only in a controlled lab or with explicit written permission. Misuse may violate laws and policies.
## What this PoC does
* Connects to the Docker Engine API (default: `http://192.168.65.7:2375`)
* Creates a short-lived container with a **bind mount** from the host `C:\` (as `/mnt/host/c` inside the Linux VM) to `/host_root` inside the container
* Runs a simple command to create **`C:\pwn.txt`** on the host
If the target is vulnerable, you’ll see the file appear on the Windows host.
## Affected / Preconditions
* **Target:** Windows machine running vulnerable Docker Desktop where the Engine API is exposed to containers at `192.168.65.7:2375` (HTTP, no TLS).
* **Attacker vantage:** Any container running on that host (or a service with SSRF access to the engine endpoint).
* **This PoC runs inside a container** (typical real-world vantage point).
> ✅ If `GET http://192.168.65.7:2375/_ping` returns `OK` from inside a container, the PoC conditions likely exist.
## Repository Layout
```
.
├─ cve_2025_9074_poc.py # Python PoC (requests-based)
└─ README.md # This file
```
## Requirements
* Python 3.8+
* `pip install requests`
* Ability to reach the Docker Engine API (default: `http://192.168.65.7:2375`) from the container where you run the PoC
## Quick Start (inside a container on the target host)
```bash
# 1) Install dependency
pip install --no-input requests
# 2) Run the PoC
python3 cve_2025_9074_poc.py
# Optional: customize output filename or image
# python3 cve_2025_9074_poc.py --outfile test.txt --image busybox
```
**Default behavior:**
* Target engine: `http://192.168.65.7:2375`
* Host path bound: `/mnt/host/c` (Windows C:\ as seen from the Linux VM)
* Mount point in container: `/host_root`
* File created on host: `C:\pwn.txt`
### Command-line options
```text
--host Engine host IP (default: 192.168.65.7)
--port Engine port (default: 2375)
--image Container image (default: alpine)
--host-path Path on engine host/VM to bind (default: /mnt/host/c)
--mount-path Path inside the container (default: /host_root)
--outfile Filename to create on host C:\ (default: pwn.txt)
```
### Expected Result
On a vulnerable system, after running the PoC you should find:
```
C:\pwn.txt
```
containing the text `pwned_by_CVE_2025_9074`.
## Cleanup
The PoC uses a short-lived container. If you want to be thorough:
```bash
# From a privileged shell with docker CLI access:
docker ps -a --format '{{.ID}}\t{{.Image}}\t{{.Command}}'
# Remove by container ID if any remain:
docker rm -f <CONTAINER_ID>
# Remove the test file on the host:
del C:\pwn.txt
```
## Mitigation (Defensive Guidance)
* **Update Docker Desktop for Windows** to a patched release (or the latest available).
* Ensure the Docker Engine API is **not exposed** over plain HTTP to untrusted networks or to containers.
* Prefer TLS-protected access and strict access controls for the Engine API.
* Consider network policies / firewall rules that block container access to the engine endpoint.
## Detection Ideas (Blue Team)
* Look for **container create** events where `HostConfig.Binds` includes paths like `/mnt/host/c` or other host drive mounts.
* Monitor unexpected **file creations on `C:\`** from processes attributable to the Docker Linux VM context.
* Network telemetry from container namespaces to `192.168.65.7:2375` (HTTP) is suspicious.
## Troubleshooting
* **`/ping` not OK / connection refused**: The engine API isn’t reachable from your container; the host may be patched or not exposed.
* **File not created**: Check that `--host-path` correctly maps to the Windows `C:\` from the Linux VM. Some environments differ.
* **Image pull issues**: Pre-pull `alpine` or switch to `busybox` with `--image busybox`.
## Legal & Ethical Notice
This PoC is provided **for educational and authorized testing only**. Running against systems without explicit written authorization is illegal and unethical. The author and contributors are **not responsible** for misuse or damages.
## License
MIT
---
**Author:** w01f
[4.0K] /data/pocs/b563b353a4b394b0dd608d8af61a75c2bf74af11
├── [3.4K] cve_2025_9074_poc.py
├── [4.6K] README.md
└── [ 975] sigma.yml
0 directories, 3 files