Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-21626 PoC — runc container breakout through process.cwd trickery and leaked fds

Source
https://github.com/dorser/cve-2024-21626
Associated Vulnerability
Title:runc container breakout through process.cwd trickery and leaked fds (CVE-2024-21626)
Description:runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
Readme
# CVE-2024-21626 

## Overview
This repository contains code examples for an app vulnerable to CVE-2024-21626 as well as an eBPF gadget to detect exploitation attempts. 

This repoistory was created as part of this [blog post]().

**The gadget program used to detect this vulnerability is for demonstration purposes only. It is not a full detection of CVE-2024-21626.**

## Vulnerability Description
CVE-2024-21626 is a vulnerability in the runc container runtime, present in versions prior to v1.1.12. It relies on the fact that runc doesn't close a "leaked" file descriptor in a timely manner when creating or executing commands inside the container, causing the container to inherit that file descriptor and gain access to the host filesystem.

There are several ways to exploit this vulnerability. This repository how this vulnerability can be exploited at runtime.

You can read more about it [here](https://github.com/advisories/GHSA-xr7r-f8xq-vfvv).


## Usage
For this demo to work, you'll need to make sure your machine is running a runc verion <= 1.1.11.

`leaky-app` is a Go app that creates a symlink to the potentially leaked file descriptor. To build the docker image:
```
make leaky-app
```

In order to build the eBPF gadget, you'll need to [`ig`] tool.
You can build the gadget using:
```
make gadget
````

Once both are built, run the gadget using:
```
IG_EXPERIMENTAL=true sudo -E ig run trace-symlink:latest
```

Open another shell and start the leaky-app container:
```
docker run --rm --name leaky-app leaky-app
```

You should see the gadget outputs the container that called the symlink syscall.

## Disclaimer
This repository contains a demonstration application designed to showcase the detection CVE-2024-21626. 
It is important to note that this demonstration is solely for educational purposes and should not be considered as a practical detection tool. 
The detection mechanisms implemented in this demo do not cover all scenarios or accurately represent the complexities of detecting this vulnerability.
File Snapshot

 [4.0K]  /data/pocs/1b9beae7ce67fd5b5bb58bf0287a632057308aae
├── [4.0K]  gadget
│   └── [ 890]  program.bpf.c
├── [4.0K]  leaky-app
│   ├── [ 528]  Dockerfile
│   ├── [  51]  go.mod
│   └── [ 350]  main.go
├── [ 18K]  LICENSE
├── [ 180]  Makefile
└── [2.0K]  README.md

2 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →