runC container breakout (all versions)
The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host.
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
A vulnerability in the Open Container Initiative runc CLI tool used by multiple products could allow an unauthenticated, remote attacker to escalate privileges on a targeted system. The vulnerability exists because the affected software improperly handles file descriptors related to /proc/self/exe. An attacker could exploit the vulnerability either by persuading a user to create a new container using an attacker-controlled image or by using the docker exec command to attach into an existing container that the attacker already has write access to. A successful exploit could allow the attacker to overwrite the host's runc binary file with a malicious file, escape the container, and execute arbitrary commands with root privileges on the host system. Open Container Initiative has confirmed the vulnerability and released software updates.
NVIDIA Container Runtime for Docker Documentation The full documentation and frequently asked questions are available on the repository wiki An introduction to the NVIDIA Container Runtime is also covered in our blog post Quickstart Make sure you have installed the NVIDIA driver and a supported version of Docker for your distribution (see prerequisites) If you have a cus
DOCKER-2019-5736 Exploit code for CVE-2019-5736 accessredhatcom/security/cve/cve-2019-5736 The container escape for Docker The exploit overwriting and executing the host systems runc binary from container Tested on Ubuntu 1604 and distro based Arch Docker versions 1806 go build maingo
CVE-2019-5736-PoC PoC for CVE-2019-5736 Created with help from @singe, @_cablethief, and @feexd Tested on Ubuntu 1804 and Arch Linux Docker versions 18091-ce and 18031-ce What is it? This is a Go implementation of CVE-2019-5736, a container escape for Docker The exploit works by overwriting and executing the host systems runc binary from within the container How does th
Exploit for CVE-2019-5736 Usage: build image cd CVE-2019-5376 gcc runc -o run -static docker build -t testpoc run docker run -it --privileged --name testpoc_instance testpoc # open another terminal, and run docker exec docker exec -it testpoc_instance bash
Usage Edit HOST inside payloadc, compile with make Start nc and run pwnsh inside the container Notes This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the payload It'll also overwrite /bin/sh inside the container Tested only on Debian 9 No attempts were made to make it stable or reliable, it's only tested to
CVE Builds for legacy docker-runc This repo provides a backport of patches for CVE-2019-5736 for older versions of runc that were packaged with Docker Build and Releases Refer to the releases section of this repo for the binaries In order to build yourself, or build for different architectures, just run make and the binaries will end up in /dist The binaries will be of the
RunC-CVE-2019-5736 Two POCs for CVE-2019-5736 See wwwtwistlockcom/labs for an explanation of CVE-2019-5736 and the two POCs Running the POCs Note that running the POCs will overwrite the runC binary on the host It is highly recommened that you create a copy of your runC binary (normally at /usr/sbin/runc) before running one of the POCs Clone the repository: $ git clone ht
Usage Edit HOST inside payloadc, compile with make Start nc and run pwnsh inside the container Notes This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the payload It'll also overwrite /bin/sh inside the container Tested only on Debian 9 No attempts were made to make it stable or reliable, it's only tested to work wh
RunC-CVE-2019-5736 Two POCs for CVE-2019-5736 wwwtwistlockcom/labs
VM-Hacking study and hack VM 某些项目源码在线阅读(woboq): 1241675161:722/ Reference CVEs Source linux arm x86 Reference qemu development linux kernel study with git awesome-virtualization CVEs CVE-2019-5736: blogdragonsectorpl/2019/02/cve-2019-5736-escape-from-docker-andhtml CVE-2015-5165（Information Leakage): dangokyome/2018/03/
CVE-MyLife CVE in My Life!
runc, a building-block project for the container technologies used by many enterprises as well as public cloud providers, has patched a vulnerability that would allow root-level code-execution, container escape and access to the host filesystem.
Discovered by researchers Adam Iwaniuk and Borys Popławski, the vulnerability (CVE-2019-5736) “allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,”...
'Doomsday scenario' unless devops crowd walks this way
Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.
"While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that’s exactly what this vulnerability represents," said Scott McCarty, principal product manager for c...