runc Procfs File Handling Vulnerability Allows Write Redirection Exploitation

A vulnerability in runc versions 1.2.7, 1.3.2, and 1.4.0-rc.2 allows an attacker to manipulate how runc writes to procfs files. By using a racing container with shared mounts, the attacker can redirect writes to other procfs files, potentially exploiting this behavior to interfere with container or host operations. This issue can be triggered using a standard Dockerfile that creates parallel executions with shared mounts. The vulnerability takes advantage of insufficient checks when binding `/dev/pts/$n` to `/dev/console`, which can be exploited to write to sensitive procfs files or disrupt system functions.

Impact

Exploitation of this vulnerability can lead to unauthorized write access to critical procfs files, bypassing standard Unix permission controls. This could allow a container to escape its confines and affect the host system or other containers, depending on the files manipulated. For instance, writing to `/proc/sysrq-trigger` could disrupt the entire system, while altering `/proc/sys/kernel/core_pattern` could interfere with core dump handling, potentially causing application crashes.

Reproduction

The vulnerability can be reproduced by creating a container with shared mounts that bind `/dev/pts/$n` to `/dev/console`. This can be done using a Dockerfile that triggers parallel execution with the necessary mount configurations. Once the container is running, runc's handling of the console can be manipulated to redirect writes to procfs files, exploiting the vulnerability.

Remediation

Users can update to runc versions 1.2.8, 1.3.3, or 1.4.0-rc.3, all of which include patches for this vulnerability.