runc (docker) File Descriptor Leak Privilege Escalation
Description
All versions of runc <=1.1.11, as used by containerization technologies such as Docker engine, and Kubernetes are vulnerable to an arbitrary file write. Due to a file descriptor leak it is possible to mount the host file system with the permissions of runc (typically root). Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 and runc 1.1.11 using Docker build. Successfully tested on Debian 12.4.0 with runc 1.1.11 using Docker build. Successfully tested on Arch Linux 12/1/2024 with runc 1.1.10-1 using Docker build.
Author(s)
- h00die
- SickMcNugget
- jheysel-r7
- Rory McNamara
Platform
Linux
Architectures
x86, x64
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/local/runc_cwd_priv_esc
msf exploit(runc_cwd_priv_esc) > show targets
...targets...
msf exploit(runc_cwd_priv_esc) > set TARGET < target-id >
msf exploit(runc_cwd_priv_esc) > show options
...show and set options...
msf exploit(runc_cwd_priv_esc) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security
