Main
Vulnerability Database
Exploits
ID:8765 - Exploit for Privilege escalation in runc - CVE-2019-5736
ID:8765 - Exploit for Privilege escalation in runc - CVE-2019-5736
Published: January 23, 2023
Vulnerability identifier: #VU17474
Vulnerability risk: Medium
CVE-ID: CVE-2019-5736
CWE-ID: CWE-264
Exploitation vector: Local access
Vulnerable software:
runc
runc
Link to public exploit:
Vulnerability description
The vulnerability allows a remote attacker to gain elevated privileges.
The weakness exists in the runc container runtime due to file-descriptor mishandling, related to /proc/self/exe. A remote attacker can leverage the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec, overwrite the host runc binary with minimal user interaction and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists in the runc container runtime due to file-descriptor mishandling, related to /proc/self/exe. A remote attacker can leverage the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec, overwrite the host runc binary with minimal user interaction and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
To prevent this attack, LXC has been patched to create a temporary copy of the calling binary itself when it starts or attaches to containers (cf. 6400238d08cdf1ca20d49bafb85f4e224348bf9d).