Shulou(Shulou.com)06/01 Report--

This article shows you how to achieve runc container escape vulnerability early warning, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

0x00 vulnerability background

Runc is a CLI tool that creates and runs containers according to the OCI (Open Container Initiative) standard. At present, the interior of the docker engine is also built on runc. On February 11, 2019, the researchers disclosed the details of the escape vulnerability of the runc container through the oss-security mailing list, and according to OpenWall, EXP will be made public seven days later, February 18, 2019. According to 360CERT, the vulnerability may affect the vast number of cloud service manufacturers and cause serious harm.

Impact of 0x01 vulnerabilities

The vulnerability allows a malicious container (with minimal user interaction) to overwrite the runc file on host, thereby executing code on host with root privileges. In the following two cases, arbitrary code can be executed in the container with root privileges through user interaction:

1. Create a new container using an attacker-controlled image.

two。 Enter into an existing container (docker exec) that the attacker previously had write access to.

The default AppArmor policy does not block this vulnerability. The default SELinux policy also does not block this vulnerability for moby-engine packages on Fedora (because the container process appears to be running as container_runtime_t); for docker packages and podman packages on Fedora, it is not affected by this vulnerability (they run the container process as container_t). However, this vulnerability can be blocked by correctly using the user namespace (where the root of host is not mapped to the container's user namespace).

Currently, in addition to runc, Apache Mesos and LXC are also confirmed to be affected. The attack can only occur in a privileged container because it requires root permissions on the host to overwrite the runc file. LXC believes that the privileged container is insecure, so CVE is not allocated to handle this issue, but patches have been released.

Details of 0x02 vulnerability

An attacker can trick runc execution by replacing the target file in the container with its own file that points to runc. For example, if the target file is / bin/bash, replace it with an executable script that specifies the interpreter path #! / proc/self/exe. When / bin/bash is executed in the container, / proc/self/exe will be executed, which points to the runc file on host. The attacker can then continue to write / proc/self/exe in an attempt to overwrite the runc file on host. In general, however, it will not succeed because the kernel does not allow it to be overwritten when runc is executed. To solve this problem, an attacker can open the file descriptor of / proc/self/exe with the O_PATH flag, then reopen the file with the O_WRONLY flag through / proc/self/fd/, and try to write the file from a separate process in a loop. The override succeeds when runc exits, after which runc can be used to attack other containers or host.

0x03 vulnerability patch

Lxc uses the memfd_create system call to create an anonymous memory file and then seals the file to prevent modification. The file in this sealed memory is executed instead of the file on disk. Similarly, any write from the privileged container to the host file will be written to the file in memory rather than to the file on disk, ensuring its integrity. Because the files in memory are sealed, the write operation will also fail.

The patching scheme in runc is similar.

0x04 repair recommendation

At present, the details of the vulnerability have been disclosed, and the EXP will be made public soon, so we do not rule out the possibility that an attacker may write an EXP based on the details of the vulnerability before the EXP is made public. 360CERT recommends using relevant vendors and developers based on lxc and runc container technology to upgrade in a timely manner, and pay attention to the subsequent EXP to verify the upgrade results. Other vendors and developers also need to pay attention to the progress of this vulnerability, and it cannot be ruled out that more container systems will be affected by this vulnerability in the future.

The above content is how to achieve runc container escape vulnerability early warning, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.