PoC Exploit Code for recent container escape flaw in runc published online

Pierluigi Paganini February 18, 2019

The Proof-of-concept (PoC) exploit code for a recently discovered vulnerability in runc tracked as CVE-2019-5736 is now publicly available.

Last week, Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, disclosed a serious vulnerability tracked CVE-2019-5736 affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.

The vulnerability was discovered by the security researchers Adam Iwaniuk and Borys Popławski.

Such kind of vulnerabilities could have a significant impact on an IT environment, its exploitation could potentially escape containment, impacting the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it

The flaw could affect popular cloud platforms, including AWS, Google Cloud, and several Linux distros.

The PoC exploit code for the container escape was published on GitHub, its execution requires root (uid 0) inside the container. 

“This is a Go implementation of CVE-2019-5736, a container escape for Docker. The exploit works by overwriting and executing the host systems runc binary from within the container. ” states the author of the code on Github.

“An attacker would need to get command execution inside a container and start a malicious binary which would listen. When someone (attacker or victim) uses docker exec to get into the container, this will trigger the exploit which will allow code execution as root,”

runc PoC code

The PoC code allows a malicious container to (with minimal user interaction) to overwrite the host runc binary and gain root-level code execution on the host.

The implementation ensures the system will no longer be able to run Docker containers.

you will overwrite your implementation of runc which will ensure your system will no longer be able to run Docker containers. Please backup either /usr/bin/docker-runc or /usr/bin/runc (depending on which you have; also check /usr/sbin).” contin

The expert pointed out that there is a second scenario for the exploitation of the flaw, it involves the use of a malicious Docker image that triggers the exploit, without requiring to exec into the container. 

Docker released the v18.09.2 version to address the issue, but according to the experts, thousands of Docker daemons exposed online are still vulnerable, most of them in the US and China.

Default configurations of Red Hat Enterprise Linux and Red Hat OpenShift are protected, Linux distros Debian and Ubuntu are working to address the issue. Both Google Cloud and AWS published security advisories to recommend customers to update containers on affected services.

VMware also confirmed that its products are impacted, and released patches to address the vulnerability in VMware Integrated OpenStack with Kubernetes (VIO-K), VMware PKS (PKS), VMware vCloud Director Container Service Extension (CSE), and vSphere Integrated Containers (VIC). 

“VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host’s runc binary and execute arbitrary code,” reads the advisory published by VMware.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – runc, hacking)

[adrotate banner="5"]

[adrotate banner=”13″]



you might also like

leave a comment