Proof-of-Concept for Container Escape Vulnerability unleashed
- Tracked as CVE-2019-5736, the vulnerability can be exploited with minimal user interaction.
- Those willing to give it a try should ensure to take a backup of /usr/bin/docker-runc or /usr/bin/runc.
Proof-of-Concept (PoC) for a recently discovered container escape vulnerability impacting popular cloud platforms including AWS, Google Cloud and numerous Linux distributions has been disclosed publicly on GitHub. The flaw was discovered last month affecting runC, a portable container runtime used in most containers including cri-o, containerd, Kubernetes and Podman.
Tracked as CVE-2019-5736, the vulnerability can be exploited with minimal user interaction. In its technical analysis report, researchers noted that one needs to have root (uid 0) access for the container to exploit the flaw.
“This is a Go implementation of CVE-2019-5736, a container escape for Docker. The exploit works by overwriting and executing the host systems runc binary from within the container,” the code’s author explained.
How to execute?
Those willing to give it a try should ensure to take a backup of usr/bin/docker-runc or /usr/bin/runc.
The vulnerability can be exploited in two cases:
- First, by injecting malicious commands inside a container.
- Second, by creating a malicious Docker image.
“The first (which is what this repo is), is essentially a trap. An attacker would need to get command execution inside a container and start a malicious binary which would listen. When someone (attacker or victim) uses docker exec to get into the container, this will trigger the exploit which will allow code execution as root. The second (which is not what this repo is), creates a malicious Docker image. When that image is run, the exploit will fire. No need to exec into the container,” the researchers explained.