## https://sploitus.com/exploit?id=3A9F5540-0A8F-5E68-9364-E0505791CAA9
[](https://doi.org/10.5281/zenodo.18304765) = [doi.org/10.5281/zenodo.18304765](https://doi.org/10.5281/zenodo.18304765)
[](https://orcid.org/0009-0007-7728-256X) = [orcid.org/0009-0007-7728-256X](https://orcid.org/0009-0007-7728-256X)
---
# README.md
## ๐ CVE-2019-5736: runc Container Breakout Deconstruction
**Advanced Purple Teaming & Forensic Analysis of Host Root Escape**
---
### ๐ก๏ธ Overview
This repository contains a high-fidelity deconstruction and Proof-of-Concept (PoC) for **CVE-2019-5736**, a critical vulnerability in `runc` (versions 1.0-rc1 through 1.0-rc6). This exploit allows a malicious container with root privileges to overwrite the host `runc` binary and gain **complete host root access** .
*
**Vulnerability Type:** CWE-59 (Improper Link Resolution Before File Access).
*
**CVSSv3 Score:** 8.6 HIGH.
*
**Impact:** Escape from isolated container namespaces to the host operating system.
---
### ๐ ๏ธ Technical Chain of Attack (Chain of Thought)
The exploit follows a deterministic multi-stage execution path:
1.
**Namespace Liberation:** Uses `unshare -rm` to create a new mount namespace, bypassing initial container restrictions.
2.
**Filesystem Bridging:** Leverages `OverlayFS` to mount the host root directory (`/`) into a writable container-controlled directory .
3.
**Dynamic Linker Hijacking:** Overwrites `/etc/ld.so.preload` on the host to inject a malicious payload (`/bin/sh -p`) into every new process .
4.
**Execution Trigger:** Executes a standard host binary (e.g., `/usr/bin/ping`) to trigger the loader and spawn a **Host Root Shell** .
---
### ๐ Production-Ready Deployment
#### 1. Lab Environment Setup (Vulnerable Docker)
To test this in a controlled environment (Ubuntu 18.04 + Docker 18.09.2):
```bash
# [cite_start]Setup vulnerable host [cite: 384-388]
docker run -d --name vuln_host --privileged ubuntu:18.04 sleep infinity
docker exec vuln_host apt update && apt install -y curl git
docker exec vuln_host curl -sSL https://get.docker.com | sh
```
#### 2. Execute Escape Payload
Run the following within the vulnerable environment to achieve host root :
```bash
chmod +x runc_root_escape.sh
./runc_root_escape.sh
```
---
### ๐ Impact Matrix (Business & Technical)
| Target Environment | Status | Impact Potential
|
| --- | --- | --- |
| **Standalone Docker** | โ Vulnerable | Host takeover, data destruction ($10M+) |
| **Kubernetes Cluster** | โ Pivot Ready | Cluster-admin secret theft ($50M+) |
| **Public Cloud (AWS/GCP)** | โ Vulnerable | IAM role theft, Cloud pivot ($100M+) |
---
### ๐ Detection & Forensic Artifacts
For **Blue Team** monitoring, focus on these indicators of compromise (IoC):
*
**Filesystem:** Unexpected writes to `/etc/ld.so.preload`.
*
**Process:** Monitoring `unshare` and `mount` calls within containers .
*
**History:** Check for automated persistence in `/var/spool/cron/crontabs/root`.
---
### โ๏ธ Disclaimer
This material is provided by **SASTRA_ADI_WIGUNA [Purple_Elite_Teaming]** for educational and authorized security testing purposes only. Use of this information for illegal activities is strictly prohibited.
---
### ๐ To-Do / Next Steps
* [ ] Integrate Falco/Sysdig detection rules.
* [ ] Automate cleanup scripts for Red Team ops .
* [ ] Map against MITRE ATT&CK T1611 (Escape to Host).
---