Share
## https://sploitus.com/exploit?id=3A9F5540-0A8F-5E68-9364-E0505791CAA9
[![DOI](https://img.shields.io/badge/DOI-10.5281%2Fzenodo.18304765-blue?logo=zenodo&logoColor=white)](https://doi.org/10.5281/zenodo.18304765) = [doi.org/10.5281/zenodo.18304765](https://doi.org/10.5281/zenodo.18304765)

[![ORCID](https://img.shields.io/badge/ORCID-0009--0007--7728--256X-A6CE39?logo=orcid&logoColor=white)](https://orcid.org/0009-0007-7728-256X) = [orcid.org/0009-0007-7728-256X](https://orcid.org/0009-0007-7728-256X)

---

# README.md

## ๐Ÿ’€ CVE-2019-5736: runc Container Breakout Deconstruction

**Advanced Purple Teaming & Forensic Analysis of Host Root Escape**

---

### ๐Ÿ›ก๏ธ Overview

This repository contains a high-fidelity deconstruction and Proof-of-Concept (PoC) for **CVE-2019-5736**, a critical vulnerability in `runc` (versions 1.0-rc1 through 1.0-rc6). This exploit allows a malicious container with root privileges to overwrite the host `runc` binary and gain **complete host root access** .

* 
**Vulnerability Type:** CWE-59 (Improper Link Resolution Before File Access).


* 
**CVSSv3 Score:** 8.6 HIGH.


* 
**Impact:** Escape from isolated container namespaces to the host operating system.



---

### ๐Ÿ› ๏ธ Technical Chain of Attack (Chain of Thought)

The exploit follows a deterministic multi-stage execution path:

1. 
**Namespace Liberation:** Uses `unshare -rm` to create a new mount namespace, bypassing initial container restrictions.


2. 
**Filesystem Bridging:** Leverages `OverlayFS` to mount the host root directory (`/`) into a writable container-controlled directory .


3. 
**Dynamic Linker Hijacking:** Overwrites `/etc/ld.so.preload` on the host to inject a malicious payload (`/bin/sh -p`) into every new process .


4. 
**Execution Trigger:** Executes a standard host binary (e.g., `/usr/bin/ping`) to trigger the loader and spawn a **Host Root Shell** .



---

### ๐Ÿš€ Production-Ready Deployment

#### 1. Lab Environment Setup (Vulnerable Docker)

To test this in a controlled environment (Ubuntu 18.04 + Docker 18.09.2):

```bash
# [cite_start]Setup vulnerable host [cite: 384-388]
docker run -d --name vuln_host --privileged ubuntu:18.04 sleep infinity
docker exec vuln_host apt update && apt install -y curl git
docker exec vuln_host curl -sSL https://get.docker.com | sh

```

#### 2. Execute Escape Payload

Run the following within the vulnerable environment to achieve host root :

```bash
chmod +x runc_root_escape.sh
./runc_root_escape.sh

```

---

### ๐Ÿ“Š Impact Matrix (Business & Technical)

| Target Environment | Status | Impact Potential 

 |
| --- | --- | --- |
| **Standalone Docker** | โœ… Vulnerable | Host takeover, data destruction ($10M+) |
| **Kubernetes Cluster** | โœ… Pivot Ready | Cluster-admin secret theft ($50M+) |
| **Public Cloud (AWS/GCP)** | โœ… Vulnerable | IAM role theft, Cloud pivot ($100M+) |

---

### ๐Ÿ” Detection & Forensic Artifacts

For **Blue Team** monitoring, focus on these indicators of compromise (IoC):

* 
**Filesystem:** Unexpected writes to `/etc/ld.so.preload`.


* 
**Process:** Monitoring `unshare` and `mount` calls within containers .


* 
**History:** Check for automated persistence in `/var/spool/cron/crontabs/root`.



---

### โš–๏ธ Disclaimer

This material is provided by **SASTRA_ADI_WIGUNA [Purple_Elite_Teaming]** for educational and authorized security testing purposes only. Use of this information for illegal activities is strictly prohibited.

---

### ๐Ÿ“‹ To-Do / Next Steps

* [ ] Integrate Falco/Sysdig detection rules.
* [ ] Automate cleanup scripts for Red Team ops .


* [ ] Map against MITRE ATT&CK T1611 (Escape to Host).



---