Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-21626 PoC — runc 安全漏洞

Source
https://github.com/dorser/cve-2024-21626
Associated Vulnerability
Title:runc 安全漏洞 (CVE-2024-21626)
Description:runc是一款用于根据OCI规范生成和运行容器的CLI(命令行界面)工具。 runc 1.1.12之前版本存在安全漏洞,该漏洞源于fds 内部泄漏,导致多个容器发生泄漏。
Readme
# CVE-2024-21626 

## Overview
This repository contains code examples for an app vulnerable to CVE-2024-21626 as well as an eBPF gadget to detect exploitation attempts. 

This repoistory was created as part of this [blog post]().

**The gadget program used to detect this vulnerability is for demonstration purposes only. It is not a full detection of CVE-2024-21626.**

## Vulnerability Description
CVE-2024-21626 is a vulnerability in the runc container runtime, present in versions prior to v1.1.12. It relies on the fact that runc doesn't close a "leaked" file descriptor in a timely manner when creating or executing commands inside the container, causing the container to inherit that file descriptor and gain access to the host filesystem.

There are several ways to exploit this vulnerability. This repository how this vulnerability can be exploited at runtime.

You can read more about it [here](https://github.com/advisories/GHSA-xr7r-f8xq-vfvv).


## Usage
For this demo to work, you'll need to make sure your machine is running a runc verion <= 1.1.11.

`leaky-app` is a Go app that creates a symlink to the potentially leaked file descriptor. To build the docker image:
```
make leaky-app
```

In order to build the eBPF gadget, you'll need to [`ig`] tool.
You can build the gadget using:
```
make gadget
````

Once both are built, run the gadget using:
```
IG_EXPERIMENTAL=true sudo -E ig run trace-symlink:latest
```

Open another shell and start the leaky-app container:
```
docker run --rm --name leaky-app leaky-app
```

You should see the gadget outputs the container that called the symlink syscall.

## Disclaimer
This repository contains a demonstration application designed to showcase the detection CVE-2024-21626. 
It is important to note that this demonstration is solely for educational purposes and should not be considered as a practical detection tool. 
The detection mechanisms implemented in this demo do not cover all scenarios or accurately represent the complexities of detecting this vulnerability.
File Snapshot

 [4.0K]  /data/pocs/1b9beae7ce67fd5b5bb58bf0287a632057308aae
├── [4.0K]  gadget
│   └── [ 890]  program.bpf.c
├── [4.0K]  leaky-app
│   ├── [ 528]  Dockerfile
│   ├── [  51]  go.mod
│   └── [ 350]  main.go
├── [ 18K]  LICENSE
├── [ 180]  Makefile
└── [2.0K]  README.md

2 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.