Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2019-5736 PoC — Docker 操作系统命令注入漏洞

Source
https://github.com/GiverOfGifts/CVE-2019-5736-Custom-Runtime
Associated Vulnerability
Title:Docker 操作系统命令注入漏洞 (CVE-2019-5736)
Description:runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
Description
CVE-2019-5736 implemented in a self-written container runtime to understand the exploit.
Readme
# CVE-2019-5736-Custom-Sandbox

## General

CVE-2019-5736 implemented using a shallow, self-written container runtime to understand the exploit.

Exploit is based on (and almost all copied from) the runc-poc by twistlock: https://github.com/twistlock/RunC-CVE-2019-5736/tree/master/malicious_image_POC

## Container Runtime (quarantine)

See code docs for further details.

```sh
Usage: quarantine [OPTIONS] [BINARY and its ARGS]

--rootfs: (mandatory) Specify a rootfs for the container.
--urange: Specify a urange start_host:end_host,start_guest.
--grange: Specify a grange start_host:end_host,start_guest.
--uid:    Specify the desired UID in the container.
--ugd:    Specify the desired GID in the container.
--supp:   Append supplementary groups from the specified grange to the process running in the container.
```

Unshares all namespaces except for the user ns. User ns is unshared under special circumstances, i.e. when `urange`, `grange`, `uid` and / or `gid` are specified. 

## Setup for the exploit

This was tested and done on Ubuntu 18.04.

1. Get a rootfs (bionic for example)
    - `mkdir rootfs`
    - `sudo debootstrap bionic ./rootfs`
2. Get libcap source
    - `git clone https://github.com/mhiramat/libcap`
3. Modifiy libcap
    - `cat exploit_code_for_shared_lib.c >> <any cap*.c, I used cap_alloc.c>`
    - `make`
4. chroot into the rootfs and install libcap-dev so you can simply link to the modified `libcap.so`
    - `sudo chroot rootfs`
    - `apt install libcap-dev`
5. Copy the created `libcap.so.2.25` file into the appropriate rootfs dir
    -`sudo cp libcap.so.2.25 rootfs/lib/x86_64-linux-gnu`
    - *Note*: For me, there already was a link pointing at that exact libcap file version, so I haven't had to link it
    - *Note*: This path might change, always look at where the compiled quarantine expects the libcap to be: `ldd quarantine`
6. Compile and copy the other files into the rootfs
    - `sudo cp shebang_exploit rootfs/`
    - `sudo gcc -o rootfs/root/payload payload.c`
    - `sudo gcc -o rootfs/overwrite_sndbx_runtime overwrite_sndbx_runtime.c`

## Run exploit

For example: `sudo ./quarantine --rootfs rootfs /shebang_exploit` or `./quarantine --rootfs rootfs --uid 1 /shebang_exploit`. 

It works as long as you either keep `CAP_DAC_OVERRIDE` or `CAP_SYS_ADMIN` on the host, i.e. don't unshare user ns when using sudo (since this drops caps in parent ns), or you own the file on the host.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →