-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tested exploit/linux/local/runc_cwd_priv_esc on arch linux runc 1.1.4 #19679
Comments
Metasploit folx, if someone can provide this technical writer a little guidance on what needs updating, then I'd be happy to update this for you. |
Arch linux is not directly supported (or tested) by the module (although it may still work). https://security.archlinux.org/issues/vulnerable does not list cve-2024-21626 (although there's nothing from 2024, so likely the list isn't kept up to date). There is a issue template for bugs, I would suggest following that as I'd like more information before expanding the module. |
I believe we chatted in slack, if this is incorrect please let me know. |
Archlinux uses rolling updates and does not have versions, the system was update using pacman to the date I reported except runc that used the version specified. The runc version used should have made the system vulnerable as stated in the exploit description. |
I had a
@rolf-d2i if you can confirm, I'll update the module/docs |
Mostly looks ok except I don't see from you log that your actually executing the exploit and also you are using 1.1.10 instead of 1.1.4. The version difference obviously doesn't matter if the exploit is supposed to be present in 1.1.10. |
1.1.10 is vulnerable, the patch is in 1.1.12. This is definitely true since I was able to exploit it successfully.
I think you missed the running of the exploit, I gave the exact output from running the module (even with my 3 debug lines while determining the Can you please provide output from running the exploit against your target? This can help with debugging why it didn't work for you but it does me. |
Running a typical reverse shell inside a debian docker running on arch linux results in [] Started reverse TCP handler on 0.0.0.0:4444 The documentation makes it sound that the host can be modified exploited from the docker container. |
Running a typical reverse shell on the arch linux machine using a none root user with docker access produces Version on this machine Running in metasploit after setting up a reverse shell session over tcp to a none root user with docker access in user home directory [] Started reverse TCP handler on 0.0.0.0:4444 |
Did you try a different |
No idea what you are referring to when you talk about FILEDESCRIPTOR, and
it is not in the documentation of the exploit or the exploit options either.
If you can explain it I can test it.
Regards
Rolf Stenholm
Den tis 17 dec. 2024 kl 10:46 skrev h00die ***@***.***>:
… [-] Exploit aborted due to failure: no-access: File Descriptor 7 not
available, try again (likely) or adjust FILEDESCRIPTOR.
Did you try a different FILEDESCRIPTOR like 8?
—
Reply to this email directly, view it on GitHub
<#19679 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGJVVKNK6ILZW234CIIKT4T2F7XHRAVCNFSM6AAAAABSOA3NTGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNBXHE3DSMBQGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
It is an exploit (advanced) option: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/runc_cwd_priv_esc.rb#L67 It is in the documentation: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/local/runc_cwd_priv_esc.md?plain=1#L27 I also mentioned having to change mine when exploiting (#19679 (comment)):
This field becomes the Maybe it could be automated, I'd have to look in to that. That would be a better approach, but every time I've been successful with exploitation (Ubuntu/Kali) the value has always been |
Using filedescriptor 8 works better
When running inside a docker container
```
get filedescriptor
filedescriptor => 8
set ForceExploit true
run
[*] Started reverse TCP handler on 0.0.0.0:4444
[!] AutoCheck is disabled, proceeding with exploitation
[*] Building from Dockerfile to set our payload permissions
[-] Exploit aborted due to failure: no-access: Failed to build docker
container. The user may not have docker permissions
[*] Exploit completed, but no session was created.
```
When running as none root user on machine and changing filedescriptor from
7 to 8
The description for this exploit is not clear that it needs to run on the
host machine, only very special docker containers can run docker inside of
docker containers.
When running on the docker host machine
```
set filedescriptor 8
[*] Started reverse TCP handler on 0.0.0.0:4444
[!] AutoCheck is disabled, proceeding with exploitation
[*] Building from Dockerfile to set our payload permissions
[*] Removing created docker image 48f3ba4ed577
[*] Payload permissions set, executing payload (/tmp/.Fd212m4mt/.yYxzX8W)...
[*] Exploit completed, but no session was created.
```
Supposedly successful but I cant see any results from the exploit
Den tis 17 dec. 2024 kl 11:18 skrev h00die ***@***.***>:
… It is an exploit (advanced) option:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/runc_cwd_priv_esc.rb#L67
It is in the documentation:
https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/local/runc_cwd_priv_esc.md?plain=1#L27
I also mentioned having to change mine when exploiting (#19679 (comment)
<#19679 (comment)>
):
I had a FILEDESCRIPTOR of 8
This field becomes the WORKDIR for the docker image, so if it isn't
correct (aka doesn't exist), the exploit will fail. It is mapped to: WORKDIR
/proc/self/fd/#{datastore['FILEDESCRIPTOR']} here:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/runc_cwd_priv_esc.rb#L180
Maybe it could be automated, I'd have to look in to that. That would be a
better approach, but every time I've been successful with exploitation
(Ubuntu/Kali) the value has always been 8. It as changed to 7 in #18838
<#18838>
—
Reply to this email directly, view it on GitHub
<#19679 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGJVVKJ55K2FI5EHQB4OVSL2F7275AVCNFSM6AAAAABSOA3NTGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNBYGA2TSOJVGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
As per the next sentence in my instructions:
|
The documentation for the exploit is not very clear that the exploit should be used on the host running docker and the exploit cannot be used to escape from the insides of a docker component. The FILEDESCRIPTOR option does not show up when using metasploit command option and it is not easy to know which number is actually a problem to write to, looking into /proc/self/fd does not appear to help picking the correct fildedescriptor at least. |
After looking at the code I managed to get a meterpreter sessions opened running the exploit but the new session is still the same normal user from my previous session, no privilege escalation happened and I could not upgrade the user account to root account using this exploit. |
Also when an exploit fail it often leaves stopped docker containers in the environment that needs to be removed manually. |
getting a user shell likely means you wrote the payload to a |
Summary
Tested exploit/linux/local/runc_cwd_priv_esc on arch linux to extend access with docker runc exploit.
Running Linux runc version 1.1.4 the exploit did not complete with success.
The exploit claims this system should have been vulnerable, but actual execution on host shows the exploit did not complete with success on arch linux. The Documentation on the exploit should be updated to document this, it is either is a bug, or arch linux is not vulnerable to this exploit, or the documentation is insufficient to correctly replicate the vulnerability.
Git link to exploit code tested https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/runc_cwd_priv_esc.rb
The text was updated successfully, but these errors were encountered: