New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More versions supported, fix bugs, allow Debian. (CVE-2024-21626) #18838
Conversation
Now uses the Rex::Version system to check the user's version of runC. The old system used to allow runC version 1.1.12 (which is patched). Now it allows from 1.0.0-rc93->1.1.11 (and I tested that it works as expected). Support added for Debian as this was tested with both Debian and Ubuntu. Newer versions of Docker wouldn't delete the built container due to the message format. I added a new regex to check for the message format which now deletes containers. Fixed error reporting bug, runC version sanitising Some runC versions contain the `+` and `~` token. These break Rex::Version objects. A simple check was added against these symbols and anything following them is cut off. Another solution may be to replace these tokens with the `-` symbol to maintain information. One of the failure cases was unreachable and this was fixed. Fix runC and docker presence checks The old runC and docker presence checks wer using `if` instead of `unless`. executable? also requires a full path to work correctly. Since only the command names themselves were being passed in, the check was silently failing. The chosen fix was to instead use the command_exists? function, which has the added benefit of working on both Windows and Linux.
Hey @SickMcNugget, thanks for the PR. The changes look okay to me although I wasn't able to get a session when exploiting Debian 12.4. It could be due to the I was also unsuccessful in getting a session on Ubuntu with I did rerun the exploit multiple times while increasing the It seems as though only specific Debian 12.4 Not working
Target Info:
Module Output:
Ubuntu 22.04.1 Not working
Target Info:
Module Output:
Kali Linux 2023.3 Working
Target info:
Module output:
|
@jheysel-r7 That's definitely a good point. I've had trouble replicating the issue on some versions of I know for absolute sure that It could instead be worth using the range check as a fallback with a less confident return message. Happy to work with any suggestions. |
Hey @SickMcNugget, the patch has been back-ported to a number of versions within the range |
With commit 6589b86, the check method now reports not vulnerable for back-ported versions; On Debian:
And ubuntu:
But still reports
|
…amework into runc_priv_esc
I didn't realise you could commit directly to my branch so I may have just broken everything. 👍 |
Ahh sorry about that @SickMcNugget - but no worries you didn't break anything. I just retested the module and it's working great, landing now. 🚀
|
bf0d81d
Release NotesThis adds support for Debian and includes a number of fixes and improvements for the |
woohoo, thanks for all the additions @SickMcNugget |
updates #18780
Uses the Ubuntu version checking, with a fallback to the Rex::Version system to check the runc version. The old system used to allow runC version 1.1.12 (which is patched). Now it allows from 1.0.0-rc93->1.1.11 (and I tested that it works as expected). Support added for Debian as this was tested with both Debian and Ubuntu. Newer versions of Docker wouldn't delete the built container due to the message format. I added a new regex to check for the message format which now deletes containers.
Fixed error reporting bug, runC version sanitising
Some runC versions contain the
+
and~
token. These break Rex::Version objects. A simple check was added against these symbols and anything following them is cut off. Another solution may be to replace these tokens with the-
symbol to maintain information. One of the failure cases was unreachable and this was fixed.Fix runC and docker presence checks
The old runC and docker presence checks wer using
if
instead ofunless
. executable? also requires a full path to work correctly. Since only the command names themselves were being passed in, the check was silently failing. The chosen fix was to instead use the command_exists? function, which has the added benefit of working on both Windows and Linux.Verification
Output
runC check
Valid run