9.3
HIGH

CVE-2019-5736

Published: 11/02/2019 Updated: 19/02/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.6 | Impact Score: 6 | Exploitability Score: 1.8

Vulnerability Summary

runC container breakout (all versions)

The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host.

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

A vulnerability in the Open Container Initiative runc CLI tool used by multiple products could allow an unauthenticated, remote attacker to escalate privileges on a targeted system. The vulnerability exists because the affected software improperly handles file descriptors related to /proc/self/exe. An attacker could exploit the vulnerability either by persuading a user to create a new container using an attacker-controlled image or by using the docker exec command to attach into an existing container that the attacker already has write access to. A successful exploit could allow the attacker to overwrite the host's runc binary file with a malicious file, escape the container, and execute arbitrary commands with root privileges on the host system. Open Container Initiative has confirmed the vulnerability and released software updates.

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Access Complexity: MEDIUM
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Vulnerability Trend

Affected Products

Vendor Advisories

Synopsis Important: docker security update Type/Severity Security Advisory: Important Topic An update for docker is now available for Red Hat Enterprise Linux 7 ExtrasRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base s ...
Synopsis Important: runc security update Type/Severity Security Advisory: Important Topic An update for runc is now available for Red Hat Enterprise Linux 7 ExtrasRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score ...
A vulnerability was discovered in runc, which is used by Docker to run containers runc did not prevent container processes from modifying the runc binary via /proc/self/exe A malicious container could replace the runc binary, resulting in container escape and privilege escalation This was fixed by creating a per-container copy of runc(CVE-2019- ...
Arch Linux Security Advisory ASA-201902-6 ========================================= Severity: High Date : 2019-02-11 CVE-ID : CVE-2019-5736 Package : runc Type : privilege escalation Remote : Yes Link : securityarchlinuxorg/AVG-878 Summary ======= The package runc before version 100rc6-1 is vulnerable to privilege escalati ...
Arch Linux Security Advisory ASA-201902-20 ========================================== Severity: High Date : 2019-02-17 CVE-ID : CVE-2019-5736 Package : flatpak Type : privilege escalation Remote : Yes Link : securityarchlinuxorg/AVG-880 Summary ======= The package flatpak before version 123-1 is vulnerable to privilege esc ...
A vulnerability in the Open Container Initiative runc CLI tool used by multiple products could allow an unauthenticated, remote attacker to escalate privileges on a targeted system The vulnerability exists because the affected software improperly handles file descriptors related to /proc/self/exe An attacker could exploit the vulnerability eithe ...
A flaw was found in the way runc handled system file descriptors when running containers A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system ...
A vulnerability discovered in runc through 10-rc6, as used in Docker before 18092 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, ...
VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host's runc binary and execute arbitrary code Exploitation of this vulnerability requires the attacker to have existing permission to deploy contai ...

Exploits

## CVE-2019-5736 ## This is exploit code for CVE-2019-5736 (and it works for both runc and LXC) The simplest way to use it is to copy the exploit code into an existing container, and run `makesh` However, you could just as easily create a bad image and run that ```console % docker run --rm --name pwnme -dit ubuntu:1810 bash pwnme % docker cp ...
# Usage Edit HOST inside `payloadc`, compile with `make` Start `nc` and run `pwnsh` inside the container # Notes - This exploit is destructive: it'll overwrite `/usr/bin/docker-runc` binary *on the host* with the payload It'll also overwrite `/bin/sh` inside the container - Tested only on Debian 9 - No attempts were made to make it stable o ...

Github Repositories

NVIDIA Container Runtime for Docker Documentation The full documentation and frequently asked questions are available on the repository wiki An introduction to the NVIDIA Container Runtime is also covered in our blog post Quickstart Make sure you have installed the NVIDIA driver and a supported version of Docker for your distribution (see prerequisites) If you have a cus

DOCKER-2019-5736 Exploit code for CVE-2019-5736 accessredhatcom/security/cve/cve-2019-5736 The container escape for Docker The exploit overwriting and executing the host systems runc binary from container Tested on Ubuntu 1604 and distro based Arch Docker versions 1806 go build maingo

CVE-2019-5736-PoC PoC for CVE-2019-5736 Created with help from @singe, @_cablethief, and @feexd Tested on Ubuntu 1804 and Arch Linux Docker versions 18091-ce and 18031-ce What is it? This is a Go implementation of CVE-2019-5736, a container escape for Docker The exploit works by overwriting and executing the host systems runc binary from within the container How does th

Exploit for CVE-2019-5736 Usage: build image cd CVE-2019-5376 gcc runc -o run -static docker build -t testpoc run docker run -it --privileged --name testpoc_instance testpoc # open another terminal, and run docker exec docker exec -it testpoc_instance bash

Usage Edit HOST inside payloadc, compile with make Start nc and run pwnsh inside the container Notes This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the payload It'll also overwrite /bin/sh inside the container Tested only on Debian 9 No attempts were made to make it stable or reliable, it's only tested to

CVE Builds for legacy docker-runc This repo provides a backport of patches for CVE-2019-5736 for older versions of runc that were packaged with Docker Build and Releases Refer to the releases section of this repo for the binaries In order to build yourself, or build for different architectures, just run make and the binaries will end up in /dist The binaries will be of the

RunC-CVE-2019-5736 Two POCs for CVE-2019-5736 See wwwtwistlockcom/labs for an explanation of CVE-2019-5736 and the two POCs Running the POCs Note that running the POCs will overwrite the runC binary on the host It is highly recommened that you create a copy of your runC binary (normally at /usr/sbin/runc) before running one of the POCs Clone the repository: $ git clone ht

Usage Edit HOST inside payloadc, compile with make Start nc and run pwnsh inside the container Notes This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the payload It'll also overwrite /bin/sh inside the container Tested only on Debian 9 No attempts were made to make it stable or reliable, it's only tested to work wh

YuvalAvra-RunC-CVE-2019-5736-

RunC-CVE-2019-5736 Two POCs for CVE-2019-5736 wwwtwistlockcom/labs

VM-Hacking study and hack VM 某些项目源码在线阅读(woboq): 1241675161:722/ Reference CVEs Source linux arm x86 Reference qemu development linux kernel study with git awesome-virtualization CVEs CVE-2019-5736: blogdragonsectorpl/2019/02/cve-2019-5736-escape-from-docker-andhtml CVE-2015-5165(Information Leakage): dangokyome/2018/03/

CVE-MyLife CVE in My Life!

Recent Articles

Major Container Security Flaw Threatens Cascading Attacks
Threatpost • Tara Seals • 12 Feb 2019

runc, a building-block project for the container technologies used by many enterprises as well as public cloud providers, has patched a vulnerability that would allow root-level code-execution, container escape and access to the host filesystem.
Discovered by researchers Adam Iwaniuk and Borys Popławski, the vulnerability (CVE-2019-5736) “allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,”...

Patch this run(DM)c Docker flaw or you be illin'... Tricky containers can root host boxes. It's like that – and that's the way it is
The Register • Thomas Claburn in San Francisco • 11 Feb 2019

'Doomsday scenario' unless devops crowd walks this way

Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.
"While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that’s exactly what this vulnerability represents," said Scott McCarty, principal product manager for c...

References