module
runc (docker) File Descriptor Leak Privilege Escalation
| Disclosed | Created |
|---|---|
| 2024-01-31 | 2024-02-05 |
Disclosed
2024-01-31
Created
2024-02-05
Description
All versions of runc and Kubernetes are vulnerable to an arbitrary file write.
Due to a file descriptor leak it is possible to mount the host file system
with the permissions of runc (typically root).
Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 and runc 1.1.11 using Docker build.
Successfully tested on Debian 12.4.0 with runc 1.1.11 using Docker build.
Successfully tested on Arch Linux 12/1/2024 with runc 1.1.10-1 using Docker build.
Due to a file descriptor leak it is possible to mount the host file system
with the permissions of runc (typically root).
Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 and runc 1.1.11 using Docker build.
Successfully tested on Debian 12.4.0 with runc 1.1.11 using Docker build.
Successfully tested on Arch Linux 12/1/2024 with runc 1.1.10-1 using Docker build.
Authors
h00die
SickMcNugget
jheysel-r7
Rory McNamara
SickMcNugget
jheysel-r7
Rory McNamara
Platform
Linux
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.