module
runc (docker) File Descriptor Leak Privilege Escalation
| Disclosed | Created |
|---|---|
| Jan 31, 2024 | Feb 5, 2024 |
Disclosed
Jan 31, 2024
Created
Feb 5, 2024
Description
All versions of runc and Kubernetes are vulnerable to an arbitrary file write.
Due to a file descriptor leak it is possible to mount the host file system
with the permissions of runc (typically root).
Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 and runc 1.1.11 using Docker build.
Successfully tested on Debian 12.4.0 with runc 1.1.11 using Docker build.
Successfully tested on Arch Linux 12/1/2024 with runc 1.1.10-1 using Docker build.
Due to a file descriptor leak it is possible to mount the host file system
with the permissions of runc (typically root).
Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 and runc 1.1.11 using Docker build.
Successfully tested on Debian 12.4.0 with runc 1.1.11 using Docker build.
Successfully tested on Arch Linux 12/1/2024 with runc 1.1.10-1 using Docker build.
Authors
h00die
SickMcNugget
jheysel-r7
Rory McNamara
SickMcNugget
jheysel-r7
Rory McNamara
Platform
Linux
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.