Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-5736 PoC — Docker 操作系统命令注入漏洞

Source
https://github.com/GiverOfGifts/CVE-2019-5736-Custom-Runtime
Associated Vulnerability
Title:Docker 操作系统命令注入漏洞 (CVE-2019-5736)
Description:Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。 Docker 18.09.2之前版本和其他产品中的runc 1.0-rc6及之前版本中存在安全漏洞,该漏洞源于程序没有正确地处理文件描述符。攻击者可利用该漏洞覆盖主机runc的二进制文件并以root权限执行命令。
Description
CVE-2019-5736 implemented in a self-written container runtime to understand the exploit.
Readme
# CVE-2019-5736-Custom-Sandbox

## General

CVE-2019-5736 implemented using a shallow, self-written container runtime to understand the exploit.

Exploit is based on (and almost all copied from) the runc-poc by twistlock: https://github.com/twistlock/RunC-CVE-2019-5736/tree/master/malicious_image_POC

## Container Runtime (quarantine)

See code docs for further details.

```sh
Usage: quarantine [OPTIONS] [BINARY and its ARGS]

--rootfs: (mandatory) Specify a rootfs for the container.
--urange: Specify a urange start_host:end_host,start_guest.
--grange: Specify a grange start_host:end_host,start_guest.
--uid:    Specify the desired UID in the container.
--ugd:    Specify the desired GID in the container.
--supp:   Append supplementary groups from the specified grange to the process running in the container.
```

Unshares all namespaces except for the user ns. User ns is unshared under special circumstances, i.e. when `urange`, `grange`, `uid` and / or `gid` are specified. 

## Setup for the exploit

This was tested and done on Ubuntu 18.04.

1. Get a rootfs (bionic for example)
    - `mkdir rootfs`
    - `sudo debootstrap bionic ./rootfs`
2. Get libcap source
    - `git clone https://github.com/mhiramat/libcap`
3. Modifiy libcap
    - `cat exploit_code_for_shared_lib.c >> <any cap*.c, I used cap_alloc.c>`
    - `make`
4. chroot into the rootfs and install libcap-dev so you can simply link to the modified `libcap.so`
    - `sudo chroot rootfs`
    - `apt install libcap-dev`
5. Copy the created `libcap.so.2.25` file into the appropriate rootfs dir
    -`sudo cp libcap.so.2.25 rootfs/lib/x86_64-linux-gnu`
    - *Note*: For me, there already was a link pointing at that exact libcap file version, so I haven't had to link it
    - *Note*: This path might change, always look at where the compiled quarantine expects the libcap to be: `ldd quarantine`
6. Compile and copy the other files into the rootfs
    - `sudo cp shebang_exploit rootfs/`
    - `sudo gcc -o rootfs/root/payload payload.c`
    - `sudo gcc -o rootfs/overwrite_sndbx_runtime overwrite_sndbx_runtime.c`

## Run exploit

For example: `sudo ./quarantine --rootfs rootfs /shebang_exploit` or `./quarantine --rootfs rootfs --uid 1 /shebang_exploit`. 

It works as long as you either keep `CAP_DAC_OVERRIDE` or `CAP_SYS_ADMIN` on the host, i.e. don't unshare user ns when using sudo (since this drops caps in parent ns), or you own the file on the host.
File Snapshot

 [4.0K]  /data/pocs/434a1a14ecb069740169188733444e275130e556
├── [ 924]  exploit_code_for_shared_lib.c
├── [2.9K]  overwrite_sndbx_runtime.c
├── [ 17K]  quarantine.cpp
└── [2.4K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.