• This repository has been archived on 29/Aug/2022
  • Stars
    star
    634
  • Rank 70,925 (Top 2 %)
  • Language
    Go
  • Created almost 6 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PoC for CVE-2019-5736

CVE-2019-5736-PoC

PoC for CVE-2019-5736

Created with help from @singe, @_cablethief, and @feexd

Tested on Ubuntu 18.04, Debian 9, and Arch Linux. Docker versions 18.09.1-ce and 18.03.1-ce. This PoC does not currently work with Ubuntu 16.04 and CentOS.

Go checkout the exploit code from Dragon Sector (the people who discovered the vulnerability) here.

What is it?

This is a Go implementation of CVE-2019-5736, a container escape for Docker. The exploit works by overwriting and executing the host systems runc binary from within the container.

How does the exploit work?

There are 2 use cases for the exploit. The first (which is what this repo is), is essentially a trap. An attacker would need to get command execution inside a container and start a malicious binary which would listen. When someone (attacker or victim) uses docker exec to get into the container, this will trigger the exploit which will allow code execution as root.

The second (which is not what this repo is), creates a malicious Docker image. When that image is run, the exploit will fire. No need to exec into the container. See the bottom of this readme for a gif example.

What do you need?

To exploit this vulnerability you need to have root (uid 0) inside the container.

Are there side effects?

Yes, you will overwrite your implementation of runc which will ensure your system will no longer be able to run Docker containers. Please backup either /usr/bin/docker-runc or /usr/bin/runc (depending on which you have; also check /usr/sbin).

How do I run it?

Modify the code however you see fit and compile it with go build main.go. Move that binary to the container you'd like to escape from. Execute the binary, and then the next time someone attaches to it and calls /bin/sh your payload will fire.

Step by step explanation

This PoC was created using an excellent explanation from this commit to the lxc project (along with some helpful advice from others).

As an example, if the target binary was /bin/bash, this could be replaced with an executable script specifying the interpreter path #!/proc/self/exe (/proc/self/exec is a symbolic link created by the kernel for every process which points to the binary that was executed for that process). As such when /bin/bash is executed inside the container, instead the target of /proc/self/exe will be executed - which will point to the runc binary on the host.

We implement this by overwriting /bin/sh in the container with #!/proc/self/exe which will point to the binary that started this process (the Docker exec).

The attacker can then proceed to write to the target of /proc/self/exe to try and overwrite the runc binary on the host. However in general, this will not succeed as the kernel will not permit it to be overwritten whilst runC is executing. To overcome this, the attacker can instead open a file descriptor to /proc/self/exe using the O_PATH flag and then proceed to reopen the binary as O_WRONLY through /proc/self/fd/ and try to write to it in a busy loop from a separate process.

Note: Some parts of the previous section are not entirely accurate. You do not need to use the O_PATH flag when getting the file descriptor for runcinit. Additionally you do not need to create the write loop in another process. We get a file descriptor for the runcinit by getting a file handle to /proc/PID/exe. From there, we then use that handle to get a file handle to /proc/self/fd/FILEDESCRIPTOR. This is the file handle we will use for writing.

Ultimately it will succeed when the runC binary exits. After this the runC binary is compromised and can be used to attack other containers or the host itself.

If we are able to write to that file handle we have overwritten the runc binary on the host. We are able to execute arbitrary commands as root.

Example of malicious Docker image

This repo does not contain this example but you can find it here. To my mind, this is the much more dangerous scenario. Simply run the malicious container image and you get code execution as root. For a detailed explanation please see this.

More Repositories

1

SneakyEndpoints

Hide from the InstanceCredentialExfiltration GuardDuty finding by using VPC Endpoints
HCL
73
star
2

aws_stealth_perm_enum

Research on the enumeration of IAM permissions without logging to CloudTrail
Python
51
star
3

CVE-2020-11108-PoC

PoCs for CVE-2020-11108; an RCE and priv esc in Pi-hole
Python
24
star
4

aws-api-models

A collection of documented and undocumented AWS API models
21
star
5

aws_api_shapeshifter

A small library to alter AWS API requests; Used for fuzzing research
Python
17
star
6

ssm-agent-research

This is a custom SSM agent which is sorta functional
Python
12
star
7

tools

A collection of pen-testing/hacking scripts. Various uses.
Python
12
star
8

gitlab-runner-research

Research on abusing GitLab Runners
Python
11
star
9

Specter

Specter is a prototype cryptocurrency developed to help people learn about Blockchain Technology.
Python
11
star
10

meltdown-spectre-poc

This is a combination of several different projects. It is intended to understand what the Meltdown and Spectre exploits are capable of.
C
7
star
11

FriendlyExitNode

The source/config of the Friendly Exit Node project.
HTML
5
star
12

selfhosted-shodan-gather

Side project to catalog various selfhosted services on the internet using Shodan; Gather metrics on usage over time
Python
5
star
13

enumate_iam_using_bucket_policy

Tool to enumerate IAM Users and Roles by Abusing S3 Bucket Policies
Python
3
star
14

Linux-From-Scratch

A repository holding everything I used to complete Linux From Scratch 8.2 (http://linuxfromscratch.org)
Shell
3
star
15

sigv4-signing-examples

Original SIGv4 Signing Examples
Python
3
star
16

deserialization_stuff

Research on deserialization attacks in Python and PHP
Python
3
star
17

easyPoll

A effective and simple polling tool for any environment
Java
2
star
18

SPA-Directory-Enumerator

Tool to perform directory enumeration of single page web applications
Python
2
star
19

WiFiReader

Identifies nearby WiFi signals
Java
1
star
20

aws_certified_solutions_architect_notes

Notes for AWS Certified Solutions Architect Studying
1
star
21

Image-Difference-Finder

A program to find the differences in "spot the differences" pictures
Java
1
star
22

GoEncryptTheCloud

Using Go, encrypt files and move them to the cloud (S3)
Go
1
star
23

aws-api-model-converter

Take undocumented APIs in the AWS Console and convert them to usable models for the AWS CLI.
1
star
24

Cut-Out-C2

Covert command and control system for Red-Team Operations
JavaScript
1
star
25

appID-2-acctID

Resolve an AWS Amplify App ID to AWS Account ID
Python
1
star
26

Bulldog-2-The-Reckoning

A vulnerable (on purpose) Node.js web application to teach about application security. A sequel to Bulldog.
TypeScript
1
star
27

Tor-Docker-Proxy

Another Tor installation in a Docker container.
1
star
28

Bulldog

The source code to a Vulnerable (on purpose) VM
HTML
1
star