CVE-2024-48990 PoC — needrestart 安全漏洞

Source

https://github.com/NullByte-7w7/CVE-2024-48990

Associated Vulnerability

Title:needrestart 安全漏洞 (CVE-2024-48990)
Description:needrestart是liske个人开发者的一款用于检查升级后需要重新启动哪些守护进程的工具。 needrestart 3.8之前版本存在安全漏洞，该漏洞源于允许本地攻击者通过诱骗needrestart使用攻击者控制的PYTHONPATH环境变量运行Python解释器，并以root身份执行任意代码。

Readme

# CVE-2024-48990

# introdution

This vulnerability takes advantage of the way in which needrestart manages the environment variable, to be more precise, PYTHONPATH can be hijacked by modifying the PYTHONPATH variable to a directory that contains a malicious library, thus executing and gaining access, we can have suid problems in some directories, so define in evil.c the following structure "sudo mount -o remount,suid /tmp" so we will be able to obtain root when executing /tmp/nullbyte -p.


# Execution Exploit

```bash
PYTHONPATH=/tmp python3 get_root.py
```
now, wait sysadmin update system or execute needrestart version 3.7, remember target need have version 3.7 needrestart

File Snapshot


 [4.0K]  /data/pocs/36ecab3a63bde71bc4ce5d85f0dbf8b32f00a6cc
├── [ 290]  evil.c
├── [ 723]  get_root.py
└── [ 685]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!