9.3
CVSSv2

CVE-2019-5736

Published: 11/02/2019 Updated: 24/05/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.6 | Impact Score: 6 | Exploitability Score: 1.8
VMScore: 950
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

runc up to and including 1.0-rc6, as used in Docker prior to 18.09.2 and other products, allows malicious users to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheMesos1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.6.0, 1.6.1, 1.6.2, 1.7.0
DockerDocker0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.10., 0.11., 0.12., 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.5.0, 1.6, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.13.0, 1.13.1
GoogleKubernetes Engine-
HpOnesphere-
LinuxcontainersLxc-
NetappElement Software Management-
OpencontainersRunc1.0
RedhatOpenshift3.4, 3.5, 3.6, 3.7, 3.9
RedhatEnterprise Linux7.0
RedhatEnterprise Linux Server7.0
FedoraprojectFedora29, 30
OpensuseLeap15.0, 42.3

Vendor Advisories

Synopsis Important: docker security update Type/Severity Security Advisory: Important Topic An update for docker is now available for Red Hat Enterprise Linux 7 ExtrasRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base s ...
Synopsis Important: container-tools:rhel8 security and bug fix update Type/Severity Security Advisory: Important Topic An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Com ...
Synopsis Important: runc security update Type/Severity Security Advisory: Important Topic An update for runc is now available for Red Hat Enterprise Linux 7 ExtrasRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score ...
Synopsis Important: Container Development Kit 370-1 security update Type/Severity Security Advisory: Important Topic Red Hat Container Development Kit 370-1 update is now availableRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sys ...
Synopsis Important: OpenShift Container Platform 34, 35, 36, and 37 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat OpenShift Container Platform 34, 35, 36, and 37Red Hat Product Security has rated this update as having a security impact of Im ...
A vulnerability was discovered in runc, which is used by Docker to run containers runc did not prevent container processes from modifying the runc binary via /proc/self/exe A malicious container could replace the runc binary, resulting in container escape and privilege escalation This was fixed by creating a per-container copy of runc(CVE-2019- ...
A flaw was found in the way runc handled system file descriptors when running containers A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system ...
Arch Linux Security Advisory ASA-201902-6 ========================================= Severity: High Date : 2019-02-11 CVE-ID : CVE-2019-5736 Package : runc Type : privilege escalation Remote : Yes Link : securityarchlinuxorg/AVG-878 Summary ======= The package runc before version 100rc6-1 is vulnerable to privilege escalati ...
Arch Linux Security Advisory ASA-201902-20 ========================================== Severity: High Date : 2019-02-17 CVE-ID : CVE-2019-5736 Package : flatpak Type : privilege escalation Remote : Yes Link : securityarchlinuxorg/AVG-880 Summary ======= The package flatpak before version 123-1 is vulnerable to privilege esc ...
-VMware Integrated OpenStack with Kubernetes (VIO-K) VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host's runc binary and execute arbitrary code Exploitation of this vulnerability requires the ...
A vulnerability in the Open Container Initiative runc CLI tool used by multiple products could allow an unauthenticated, remote attacker to escalate privileges on a targeted system The vulnerability exists because the affected software improperly handles file descriptors related to /proc/self/exe An attacker could exploit the vulnerability eithe ...
A vulnerability discovered in runc through 10-rc6, as used in Docker before 18092 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, ...
IBM Cloud Kubernetes Service is affected by a security vulnerability in runc which could allow an attacker that is authorized to run a process as root inside a container to execute arbitrary commands with root privileges on the container’s host system ...
PowerKVM is affected by a vulnerability in Docker IBM has now addressed this vulnerability ...
IBM Cloud Private is affected by an issue with runc used by Docker The vulnerability allows a malicious container to overwrite the host runc binary and thus gain root-level code execution on the host ...

Exploits

## CVE-2019-5736 ## This is exploit code for CVE-2019-5736 (and it works for both runc and LXC) The simplest way to use it is to copy the exploit code into an existing container, and run `makesh` However, you could just as easily create a bad image and run that ```console % docker run --rm --name pwnme -dit ubuntu:1810 bash pwnme % docker cp ...
# Usage Edit HOST inside `payloadc`, compile with `make` Start `nc` and run `pwnsh` inside the container # Notes - This exploit is destructive: it'll overwrite `/usr/bin/docker-runc` binary *on the host* with the payload It'll also overwrite `/bin/sh` inside the container - Tested only on Debian 9 - No attempts were made to make it stable o ...

Mailing Lists

On 2019-02-13, Loganaden Velvindron <loganaden () gmail com> wrote: Yes, there is a PoC that someone outside of the embargo posted on GitHub (it is quite different to the one we have but it is using a related issue which our patch also fixed) At this point I might as well post the actual exploit code (given that the original vulnerability ...
Someone outside of the embargo has posted a PoC of the exploit for CVE-2019-5736 (which is related though not using the same vector)[1] Since the original researchers have posted a blog post explaining the exploit in some detail[2], I've decided to post the exploit code early -- since the cat is out of the bag anyway CVE-2019-5736tarxz has the ...
On Tue, Feb 12, 2019 at 12:05:20AM +1100, Aleksa Sarai wrote: [] While runc, LXC, and maybe other projects fix CVE-2019-5736 in userspace, Virtuozzo/OpenVZ 7 has just released a kernel fix instead - please see the forwarded message below Following links from there, I found the following description of the issue in context of Virtuozzo and ...
Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Mesos 140 to 170 The unsupported Apache Mesos pre-140 releases may be also affected Description: A specifically crafted Docker image running under the root user can overwrite the init helper binary of the Mesos container runtime and/or the Mesos command e ...
Hello, there is a container breakout currently discussed (CVE-2019-5736), which affected LXC among others Let me share two more, IMHO easier, breakout techniques that work against LXC, at least in Ubuntu 1810, which has LXC 303 Both techniques work only in privileged containers, and so, given that LXC upstream does not treat privileged contai ...

Github Repositories

CVE-2019-5736-PoC PoC for CVE-2019-5736 Created with help from @singe, @_cablethief, and @feexd Tested on Ubuntu 1804, Debian 9, and Arch Linux Docker versions 18091-ce and 18031-ce This PoC does not currently work with Ubuntu 1604 and CentOS Go checkout the exploit code from Dragon Sector (the people who discovered the vulnerability) here What is it? This is a Go imp

NVIDIA Container Runtime for Docker Documentation The full documentation and frequently asked questions are available on the repository wiki An introduction to the NVIDIA Container Runtime is also covered in our blog post Quickstart Make sure you have installed the NVIDIA driver and a supported version of Docker for your distribution (see prerequisites) If you have a cus

Docker-Runc-Exploit Docker runc CVE-2019-5736 exploit Dockerfile Credits : githubcom/Frichetten/CVE-2019-5736-PoCgit

CVE-2019-5736-PoC nvdnistgov/vuln/detail/CVE-2019-5736 poc of CVE-2019-5736

概要 以下のリポジトリのエクスプロイトをDockerイメージで動作するようにしたもの。 githubcom/feexd/pocs 使用方法 イメージの作成 $ git clone githubcom/k-onishi/CVE-2019-5736-PoC $ cd CVE-2019-5736-PoC $ make $ sudo docker build -t poc 実行 コンテナの実行及びホスト側でのポートリッスン。 # ter

DOCKER-2019-5736 Exploit code for CVE-2019-5736 accessredhatcom/security/cve/cve-2019-5736 The container escape for Docker The exploit overwriting and executing the host systems runc binary from container Tested on Ubuntu 1604 and distro based Arch Docker versions 1806 go build maingo

Usage Edit HOST inside payloadc, compile with make Start nc and run pwnsh inside the container Notes This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the payload It'll also overwrite /bin/sh inside the container Tested only on Debian 9 No attempts were made to make it stable or reliable, it's only tested to work wh

RunC-CVE-2019-5736 Two POCs for CVE-2019-5736 See Twistlock Labs for an explanation of CVE-2019-5736 and the POCs The malicious image POC is heavily based on q3k’s POC, so all credit goes to him Running the POCs Note that running the POCs will overwrite the runC binary on the host It is highly recommened that you create a copy of your runC binary (normally at /usr/sbi

Exploit for CVE-2019-5736 Version 1 (inspired by original idea DragonSector) use a maliciousso(which used by runc) with malicious entry point (like #!/proc/self/exe) to hijack the execution of runc, and then open '/proc/self/exe' to hold the file descriptor Then 'fork-exec' to run another process, and the child process will inherit the file descriptor F

NVIDIA Container Runtime for Docker Documentation The full documentation and frequently asked questions are available on the repository wiki An introduction to the NVIDIA Container Runtime is also covered in our blog post Quickstart Make sure you have installed the NVIDIA driver and a supported version of Docker for your distribution (see prerequisites) If you have a cus

cve-2019-5736-exp This is a proof-of-concept (PoC) exploit for the CVE-2019-5736 vulnerability in runc, the runtime used in Docker Disclaimer I undertook this project as an exercise, for educational reasons and for fun It should go without saying that I do not support unethical and/or illegal misuse of this code Description The vulnerability was discovered by Adam Iwaniuk an

NVIDIA Container Runtime for Docker Documentation The full documentation and frequently asked questions are available on the repository wiki An introduction to the NVIDIA Container Runtime is also covered in our blog post Quickstart Make sure you have installed the NVIDIA driver and a supported version of Docker for your distribution (see prerequisites) If you have a cus

CVE-2019-5736 This is exploit code for CVE-2019-5736 (and it works for both runc and LXC) The simplest way to use it is to copy the exploit code into an existing container, and run makesh However, you could just as easily create a bad image and run that % docker run --rm --name pwnme -dit ubuntu:1810 bash pwnme % docker cp CVE-2019-5736tar pwnme:/CVE-2019-5736tar We need

Usage Edit HOST inside payloadc, compile with make Start nc and run pwnsh inside the container Notes This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the payload It'll also overwrite /bin/sh inside the container Tested only on Debian 9 No attempts were made to make it stable or reliable, it's only tested to work wh

To run: (1) edit poc command in stage2c (2) build docker docker build -t cve (3) run docker docker run -d cve /bin/bash -c "tail -f /dev/null" (4) backup docker-runc cp /usr/bin/docker-runc /usr/bin/docker-runcbak (5) docker exec -it docker-id /bin/bash (6) in docker run cd /root && /runsh && exit (7) docker exec -it doc

CVE

CVE Builds for legacy docker-runc This repo provides a backport of patches for CVE-2019-5736 for older versions of runc that were packaged with Docker Build and Releases Refer to the releases section of this repo for the binaries In order to build yourself, or build for different architectures, just run make and the binaries will end up in /dist The binaries will be of the

$50 million CTF Writeup Summary For a brief overview of the challenge you can take a look at the following image: Below I will detail each step that I took to solve the CTF, moreover all the bad assumptions that led me to a dead end in some cases Twitter The CTF begins with this tweet: What is this binary? My first thought was try to decode the binary on image’s backg

venom A quick way to manage various payloads and listeners Summary venompy is a tool that help you manage payloads and listeners ⬢ venom /venompy ▌ ▐·▄▄▄ ▐ ▄ • ▌ ▄ · ▪█·█▌▀▄▀·•█▌▐█▪ ·██ ▐███▪ ▐█▐█•▐▀▀▪▄▐█▐▐▌ ▄█

dockerevil A simple repository to store my security flaws in the docker technology Docker API Privilege Escalation Escalate from Offline Server/Minimal Images/Build from TAR Dockerfile Docker SUDO Privilege Escalation (PoC) Nmap Scripts Other awesome security flaws found in the docker: How Abusing Docker API Led to Remote Code Execution, Same Origin Bypass and Persisten

Kaosagnt's Ansible Everyday Utils This project contains many of the Ansible playbooks that I use daily as a Systems Administrator in the pursuit of easy server task automation Installation You will need to setup and install Ansible like you normally would before using what is presented here Hint: it uses ansible wwwansiblecom Optional: Create an ansible-everyd

CVE-MyLife CVE in My Life! A little adventure in the world! List CVE: CVE-2016-2098: Action Pack in Ruby on Rails before 32222, 4x before 41142, and 42x before 4252 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method CVE-2016-3345: The SMBv1 server in Microsoft Windows Vista SP2, Windows

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Major Container Security Flaw Threatens Cascading Attacks
Threatpost • Tara Seals • 12 Feb 2019

runc, a building-block project for the container technologies used by many enterprises as well as public cloud providers, has patched a vulnerability that would allow root-level code-execution, container escape and access to the host filesystem.
Discovered by researchers Adam Iwaniuk and Borys Popławski, the vulnerability (CVE-2019-5736) “allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,”...

Patch this run(DM)c Docker flaw or you be illin'... Tricky containers can root host boxes. It's like that – and that's the way it is
The Register • Thomas Claburn in San Francisco • 11 Feb 2019

'Doomsday scenario' unless devops crowd walks this way

Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.
"While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that’s exactly what this vulnerability represents," said Scott McCarty, principal product manager for c...

References

CWE-216http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.htmlhttp://www.openwall.com/lists/oss-security/2019/03/23/1http://www.securityfocus.com/bid/106976https://access.redhat.com/errata/RHSA-2019:0303https://access.redhat.com/errata/RHSA-2019:0304https://access.redhat.com/errata/RHSA-2019:0401https://access.redhat.com/errata/RHSA-2019:0408https://access.redhat.com/errata/RHSA-2019:0975https://access.redhat.com/security/cve/cve-2019-5736https://access.redhat.com/security/vulnerabilities/runcescapehttps://aws.amazon.com/security/security-bulletins/AWS-2019-002/https://azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.htmlhttps://brauner.github.io/2019/02/12/privileged-containers.htmlhttps://bugzilla.suse.com/show_bug.cgi?id=1121967https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runchttps://github.com/docker/docker-ce/releases/tag/v18.09.2https://github.com/Frichetten/CVE-2019-5736-PoChttps://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558bhttps://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40dhttps://github.com/q3k/cve-2019-5736-pochttps://github.com/rancher/runc-cvehttps://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706@%3Cuser.mesos.apache.org%3Ehttps://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46@%3Cdev.dlab.apache.org%3Ehttps://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e@%3Cdev.dlab.apache.org%3Ehttps://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c@%3Cdev.mesos.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/https://security.netapp.com/advisory/ntap-20190307-0008/https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03913en_ushttps://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runchttps://www.exploit-db.com/exploits/46359/https://www.exploit-db.com/exploits/46369/https://www.openwall.com/lists/oss-security/2019/02/11/2https://www.synology.com/security/advisory/Synology_SA_19_06https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/https://www.rapid7.com/db/vulnerabilities/docker-cve-2019-5736https://www.exploit-db.com/exploits/46369https://nvd.nist.govhttps://threatpost.com/container-security-flaw-runc/141737/https://seclists.org/oss-sec/2019/q1/119https://tools.cisco.com/security/center/viewAlert.x?alertId=59636