Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-48990 PoC — needrestart 安全漏洞

Source
https://github.com/ten-ops/CVE-2024-48990_needrestart
Associated Vulnerability
Title:needrestart 安全漏洞 (CVE-2024-48990)
Description:needrestart是liske个人开发者的一款用于检查升级后需要重新启动哪些守护进程的工具。 needrestart 3.8之前版本存在安全漏洞,该漏洞源于允许本地攻击者通过诱骗needrestart使用攻击者控制的PYTHONPATH环境变量运行Python解释器,并以root身份执行任意代码。
Description
Exploit for CVE-2024-48990 - Privilege Escalation in Needrestart 3.7-3. For eductional purposes only
Readme
# CVE-2024-48990 - Needrestart 3.7-3 Privilege Escalation Exploit

## Overview
This repository contains an exploit for CVE-2024-48990, a privilege escalation vulnerability in Needrestart 3.7-3. The exploit leverages improper input handling to execute arbitrary code with elevated privileges.

## Affected Versions
- Needrestart 3.7-3 (Tested on Debian-based systems)
- Other versions may also be vulnerable

## Exploit Details
The exploit consists of:

- `main.asm`: Assembly shellcode used for privilege escalation.
- `listener.sh`: Python-based listener for monitoring exploitation success.
- `Makefile`: Automates the compilation and execution of the exploit.

## Exploitation Steps
### 1. Clone the Repository
```bash
git clone https://github.com/ten-ops/CVE-2024-48990.git
cd CVE-2024-48990
```

### 2. Compile and Execute
```bash
make
```
This will:

- Assemble and link the shellcode.
- Create a malicious shared object (`__init__.so`) inside `/tmp/attacker/importlib/`.
- Execute the `listener.sh` script to monitor the attack.

### 3. Trigger the Exploit
To trigger the exploit, execute the following command:
```bash
sudo needrestart -r a
```
This forces Needrestart to load the malicious shared object, resulting in privilege escalation.

### 4. Verify Exploitation Success
If successful, you should see:
```bash
Root obtained!, clear traces ...
```

---

## Why This Attack is Effective on Multi-User Ubuntu Servers

**1. Needrestart is often executed by administrators when updating or patching the server.**

**2. If the attacker injects the payload before an admin runs needrestart, they gain root without direct sudo access.**

**3. This is known as "privilege escalation by waiting" (time-of-use attack).**

---

## Mitigation
To mitigate this vulnerability:
- **Upgrade Needrestart** to the latest patched version.
- **Restrict execution of untrusted binaries** by enforcing strict sudo policies.
- **Monitor `/tmp/` and `/var/tmp/`** for suspicious activity.

---

## Disclaimer
This exploit is for **educational and research purposes only**. Unauthorized use may violate applicable laws. The author is not responsible for any misuse.

---

## References
- [CVE Details](https://www.cvedetails.com/cve/CVE-2024-48990/)
- [Mitre](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48990)  

---

### **SEO Optimization Tags:**
**CVE-2024-48990, Needrestart Exploit, Linux Privilege Escalation, Needrestart 3.7-3 Vulnerability, Linux Security, Ethical Hacking, Red Teaming, Root Exploit, Assembly Exploit, Cybersecurity Research**
File Snapshot

 [4.0K]  /data/pocs/2f11eb8ffe32f5c50cbbdbdfa3eb337ffe2f79e6
├── [ 11K]  LICENSE
├── [ 322]  makefile
├── [2.5K]  README.md
└── [4.0K]  src
    ├── [ 392]  listener.sh
    └── [2.0K]  main.asm

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.