Associated Vulnerability
Title:Docker 操作系统命令注入漏洞 (CVE-2019-5736)Description:runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
Description
In this project, we found a recent attack through the malicious container and implemented a security mechanism to stop it.
Readme
# CVE-2019-5736-attack-and-security-mechanism
In this project, we found a recent attack through the malicious container and implemented a security mechanism to stop it.
## **Introduction**
Cyber-attacks have become a critical challenge for both companies and small businesses, largely due to vulnerabilities in various components of their IT resources. Understanding these threats is the first step in safeguarding an organization's data and assets. Common forms of attacks include malware, ransomware, and phishing. Recent studies highlight the increasing prevalence of attacks targeting container infrastructures. Adversaries often exploit misconfigured containers by locating them through public search engines and scanning tools.
Thus, in this project, we have implemented an attack using a CVE-2019-5736 Docker vulnerability and identified a security mechanism to prevent an attack.
## **Attack Implementation and Execution**
We have used the following setup to safely implement an attack and security mechanism. On the base machine with Windows OS, the VMware workstation has been deployed with the Ubuntu 18.04 OS virtual machine. In addition, the Docker 18.03.1-ce (Runc 1.0.0-rc5) container application has been installed on the Ubuntu 18.04.
The "usr/docker/runc" is a sensitive executable internal file that any third user should not be able to modify. However, Docker version 18.03 has the vulnerability due which it will not log the modification of the "runc" docker file; as a result, the attacker can use this vulnerability to modify the "usr/docker/runc" file and get root access to our Linux system.
1) We create a backup of the "usr/docker/runc" file and its hash to confirm the modification of this file after the attack execution.
2) We add malicious scripts to the container setup, which will modify the "usr/docker/runc" file after a typical user runs the malformed container.
3) We built the container
4) The Attacker sets a listener on its device (in this case it is our Windows machine) for a specific port number mentioned in malicious scripts (e.g. port number 1234). Whenever the user runs that container, the attacker will be connected to the user's machine with root access.
5) We run the malformed container
As a result:
- The attacker is connected to the user's machine with the root access privileges
- The hash value of the "usr/docker/runc" file after the attack is not equal to the backup file hash, meaning that the attack was successful
## **Security Mechanism**
The root cause of this vulnerability is the capability of the malicious docker image to alter the “/usr/docker/runc” file and include the hostile code in the executable file.
To stop this attack from happening we use "Chattr" command to make the “/usr/docker/runc” file immutable. As a result, the exploit fails to run and there is no response on the attacker's side.
The security mechanism we have applied indeed stops the attack, meaning that we could prevent the malicious code from exploiting the vulnerability of that specific docker file we have found. For the security mechanism, we could not use 'chmod' command because in this specific vulnerability we used, root access is granted to the attack. Thus, the "chmod" command could not prevent an attack.
## **Summary**
In this project we chose to implement an attack that exploited the CVE-2019-5736 vulnerability with the HIGH CVSS score, which gives and attacker remote access to the user's machine with root privileges. We successfully executed the attack and found the security mechanism to prevent it.
Challenges:
- Installation of older Docker version
- Modifying the available exploit code to run an attack
File Snapshot
[4.0K] /data/pocs/8f3a2bf155eeb2968f33ebc3d5931d2ce5c38333
├── [3.6K] README.md
└── [1.5M] Report - vulnerability exploit and security mechanism.pdf
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →