runc up to and including 1.0-rc6, as used in Docker prior to 18.09.2 and other products, allows malicious users to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
|Docker||Docker||0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.10., 0.11., 0.12., 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.5.0, 1.6, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.13.0, 1.13.1|
|Redhat||Openshift||3.4, 3.5, 3.6, 3.7, 3.9|
|Redhat||Enterprise Linux Server||7.0|
NVIDIA Container Runtime for Docker Documentation The full documentation and frequently asked questions are available on the repository wiki An introduction to the NVIDIA Container Runtime is also covered in our blog post Quickstart Make sure you have installed the NVIDIA driver and a supported version of Docker for your distribution (see prerequisites) If you have a cus
CVE-2019-5736-PoC nvdnistgov/vuln/detail/CVE-2019-5736 poc of CVE-2019-5736
CVE-2019-5736-PoC PoC for CVE-2019-5736 Created with help from @singe, @_cablethief, and @feexd Tested on Ubuntu 1804 and Arch Linux Docker versions 18091-ce and 18031-ce What is it? This is a Go implementation of CVE-2019-5736, a container escape for Docker The exploit works by overwriting and executing the host systems runc binary from within the container How does th
DOCKER-2019-5736 Exploit code for CVE-2019-5736 accessredhatcom/security/cve/cve-2019-5736 The container escape for Docker The exploit overwriting and executing the host systems runc binary from container Tested on Ubuntu 1604 and distro based Arch Docker versions 1806 go build maingo
Exploit for CVE-2019-5736 Version 1 (inspired by original idea DragonSector) use a maliciousso(which used by runc) with malicious entry point (like #!/proc/self/exe) to hijack the execution of runc, and then open '/proc/self/exe' to hold the file descriptor Then 'fork-exec' to run another process, and the child process will inherit the file descriptor F
RunC-CVE-2019-5736 Two POCs for CVE-2019-5736 wwwtwistlockcom/labs
RunC-CVE-2019-5736 Two POCs for CVE-2019-5736 See wwwtwistlockcom/labs for an explanation of CVE-2019-5736 and the two POCs Running the POCs Note that running the POCs will overwrite the runC binary on the host It is highly recommened that you create a copy of your runC binary (normally at /usr/sbin/runc) before running one of the POCs Clone the repository: $ git clone ht
CVE Builds for legacy docker-runc This repo provides a backport of patches for CVE-2019-5736 for older versions of runc that were packaged with Docker Build and Releases Refer to the releases section of this repo for the binaries In order to build yourself, or build for different architectures, just run make and the binaries will end up in /dist The binaries will be of the
CVE-2019-5736 This is exploit code for CVE-2019-5736 (and it works for both runc and LXC) The simplest way to use it is to copy the exploit code into an existing container, and run makesh However, you could just as easily create a bad image and run that % docker run --rm --name pwnme -dit ubuntu:1810 bash pwnme % docker cp CVE-2019-5736tar pwnme:/CVE-2019-5736tar We need
Usage Edit HOST inside payloadc, compile with make Start nc and run pwnsh inside the container Notes This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the payload It'll also overwrite /bin/sh inside the container Tested only on Debian 9 No attempts were made to make it stable or reliable, it's only tested to
Usage Edit HOST inside payloadc, compile with make Start nc and run pwnsh inside the container Notes This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the payload It'll also overwrite /bin/sh inside the container Tested only on Debian 9 No attempts were made to make it stable or reliable, it's only tested to work wh
dockerevil A simple repository to store my security flaws in the docker technology Docker API Privilege Escalation Escalate from Offline Server/Minimal Images/Build from TAR Dockerfile Docker SUDO Privilege Escalation (PoC) Nmap Scripts Other awesome security flaws found in the docker: How Abusing Docker API Led to Remote Code Execution, Same Origin Bypass and Persisten
Kaosagnt's Ansible Everyday Utils This project contains many of the Ansible playbooks that I use daily as a Systems Administrator in the pursuit of easy server task automation Installation You will need to setup and install Ansible like you normally would before using what is presented here Hint: it uses ansible wwwansiblecom Optional: Create an ansible-everyd
CVE-MyLife CVE in My Life! A little adventure in the world! List CVE: CVE-2016-2098: Action Pack in Ruby on Rails before 32222, 4x before 41142, and 42x before 4252 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method CVE-2016-3345: The SMBv1 server in Microsoft Windows Vista SP2, Windows
Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :
runc, a building-block project for the container technologies used by many enterprises as well as public cloud providers, has patched a vulnerability that would allow root-level code-execution, container escape and access to the host filesystem.
Discovered by researchers Adam Iwaniuk and Borys Popławski, the vulnerability (CVE-2019-5736) “allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,”...
'Doomsday scenario' unless devops crowd walks this way
Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.
"While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that’s exactly what this vulnerability represents," said Scott McCarty, principal product manager for c...