Skip to content

GiverOfGifts/CVE-2019-5736-Custom-Runtime

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

README.md

README.md

 
 

exploit_code_for_shared_lib.c

exploit_code_for_shared_lib.c

 
 

overwrite_sndbx_runtime.c

overwrite_sndbx_runtime.c

 
 

quarantine.cpp

quarantine.cpp

 
 

Repository files navigation

CVE-2019-5736-Custom-Sandbox

General

CVE-2019-5736 implemented using a shallow, self-written container runtime to understand the exploit.

Exploit is based on (and almost all copied from) the runc-poc by twistlock: https://github.com/twistlock/RunC-CVE-2019-5736/tree/master/malicious_image_POC

Container Runtime (quarantine)

See code docs for further details.

Usage: quarantine [OPTIONS] [BINARY and its ARGS]

--rootfs: (mandatory) Specify a rootfs for the container.
--urange: Specify a urange start_host:end_host,start_guest.
--grange: Specify a grange start_host:end_host,start_guest.
--uid:    Specify the desired UID in the container.
--ugd:    Specify the desired GID in the container.
--supp:   Append supplementary groups from the specified grange to the process running in the container.

Unshares all namespaces except for the user ns. User ns is unshared under special circumstances, i.e. when urange, grange, uid and / or gid are specified.

Setup for the exploit

This was tested and done on Ubuntu 18.04.

  1. Get a rootfs (bionic for example)
    • mkdir rootfs
    • sudo debootstrap bionic ./rootfs
  2. Get libcap source
    • git clone https://github.com/mhiramat/libcap
  3. Modifiy libcap
    • cat exploit_code_for_shared_lib.c >> <any cap*.c, I used cap_alloc.c>
    • make
  4. chroot into the rootfs and install libcap-dev so you can simply link to the modified libcap.so
    • sudo chroot rootfs
    • apt install libcap-dev
  5. Copy the created libcap.so.2.25 file into the appropriate rootfs dir -sudo cp libcap.so.2.25 rootfs/lib/x86_64-linux-gnu
    • Note: For me, there already was a link pointing at that exact libcap file version, so I haven't had to link it
    • Note: This path might change, always look at where the compiled quarantine expects the libcap to be: ldd quarantine
  6. Compile and copy the other files into the rootfs
    • sudo cp shebang_exploit rootfs/
    • sudo gcc -o rootfs/root/payload payload.c
    • sudo gcc -o rootfs/overwrite_sndbx_runtime overwrite_sndbx_runtime.c

Run exploit

For example: sudo ./quarantine --rootfs rootfs /shebang_exploit or ./quarantine --rootfs rootfs --uid 1 /shebang_exploit.

It works as long as you either keep CAP_DAC_OVERRIDE or CAP_SYS_ADMIN on the host, i.e. don't unshare user ns when using sudo (since this drops caps in parent ns), or you own the file on the host.

About

CVE-2019-5736 implemented in a self-written container runtime to understand the exploit.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages