-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker Container Escape via runC overwrite with RCE as root (CVE-2019-5736) #15107
Docker Container Escape via runC overwrite with RCE as root (CVE-2019-5736) #15107
Conversation
If there isn't a work around for this, is this an exploit we want Metasploit to ship with? 👀
For context, I believe we passed on shipping the DirtyCow privilege escalation module (CVE-2016-5195) for the same reason here - #7476 With reference to bcole's comment in particular 😄
|
If If the corrupted |
ddf66e3
to
ea33059
Compare
It is ready for review now. I've made some improvements and add logic to cleanup and restore the |
documentation/modules/exploit/linux/local/docker_runc_escape.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/local/docker_runc_escape.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/local/docker_runc_escape.md
Outdated
Show resolved
Hide resolved
Thanks for the review @smcintyre-r7 ! I fixed the documentation typos and renamed |
- add binaries - add documentation - backup `runc` binary in the exploit C file - add `MeterpreterBackground` options to set Mettle `background` option - add `WsfDelay` logic - refactor code - add cleanup logic - add restore `runc` binary logic
- Fix documentation typos - Rename `MeterpreterBackground` Mettle option to `MeterpreterTryToFork`
- Remove `MeterpreterTryToFork` option logic - Add `Prepend` code directly under `Payload` info - Rebase to use the updated `PrependFork` - Add logic to verify that shells specified in the options really exist on the remote host
6d01334
to
daa5b32
Compare
Everything appears to be working as intended now. Running Testing Output
I'll have this merged in here in a minute. Thanks @cdelafuente-r7 ! |
Release NotesThis adds an exploit for CVE-2019-5736 which is a flaw in Docker that can be leveraged by an attacker to overwrite the |
This module leverages a flaw in
runc
to escape a Docker container and get command execution on the host as root. This vulnerability is identified as CVE-2019-5736. It overwrites therunc
binary with the payload and wait for someone to usedocker exec
to get into the container. This will trigger the payload execution. Note that a valid session as the root user inside the container is needed.WARNING: Executing this exploit carries important risks regarding the Docker installation integrity on the target and inside the container (see Side Effects section).
runc
has been fixed in version1.0-rc7
and included in Docker version18.09.2
.This module has been successfully tested on Ubuntu 18.04.5 x64 and Fedora 28 x64. However, it doesn't seem to work on CentOS 7 x64. Also, it looks like the exploit is more reliable on Fedora than Ubuntu.
Installation
Ubuntu 18.04.5 x64 with Docker version 18.03.1
Fedora 28 x64 with Docker version 18.03.1
Side Effects
runc
The host
runc
binary will be overwritten during exploitation. The module takes care of making a backup before the overwrite and restore it when the new session is established. However, it might not work as expected and something could go wrong during the exploitation, which might avoid the session being created. In this case,runc
won't be restored and the the host will no longer be able to run Docker containers. This process will need to be done manually somehow by following the instruction displayed during the module execution:shell
The shell binary inside the container (set by the
OVERWRITE
option) will also be overwritten. However, the module makes a backup prior the overwrite and restores it automatically. This process is relatively safe, but something can still go wrong along the way. Again, this will need to be done manually, using the information displayed during the module execution:Verification Steps
use linux/local/docker_runc_escape
set LHOST <ip>
set LPORT <port>
set session <session nb>
run
docker exec -ti <container_id> /bin/sh
WRITABLEDIR
on the host is empty (cleanup successful)docker-runc
has been restored by runningdocker-runc --version
Scenarios
Docker version 18.03.1-ce (build 9ee9f40) on Ubuntu 18.04.5 LTS
Docker version 18.03.1-ce (build 9ee9f40) on Fedora 28 x64