关联漏洞
标题:needrestart 安全漏洞 (CVE-2024-48990)描述:needrestart是liske个人开发者的一款用于检查升级后需要重新启动哪些守护进程的工具。 needrestart 3.8之前版本存在安全漏洞,该漏洞源于允许本地攻击者通过诱骗needrestart使用攻击者控制的PYTHONPATH环境变量运行Python解释器,并以root身份执行任意代码。
介绍
# CVE-2024-48990-PoC
## What is needrestart and how does it work?
Needrestart is a widely used utility on Linux systems (default on many Ubuntu versions) that checks after a software update whether any service or the system itself needs to be restarted. By analyzing running processes, it determines if they are using updated libraries or if they need to be restarted for changes to take effect.
## How does the vulnerability work?
When needrestart detects a process running a Python interpreter, it reads the environment variable PYTHONPATH associated with that process from /proc/[pid]/environ and then sets it before launching its own Python interpreter for analysis.
If the original process belongs to a local attacker, the attacker can manipulate PYTHONPATH to point to a malicious library.
As a result, when needrestart runs the Python interpreter with root privileges and the manipulated PYTHONPATH, it ends up executing the attacker’s code, leading to a privilege escalation to root.
## Affected Versions
This vulnerability affects only needrestart versions prior to 3.8. Versions 3.8 and later include a fix that properly sanitizes environment variables like PYTHONPATH before invoking the Python interpreter, preventing privilege escalation through malicious environment manipulation.
## Using the PoC
1. Clone the repository.
2. In runner.sh, modify the IP used to fetch the compiled binary so that it points to your own machine.
3. On the attacker’s machine, grant execute permissions and run binary.sh.
4. Set up an HTTP server:
```bash
$ python3 -m http.server
```
5. On the victim machine, copy runner.sh, give it execute permissions, and run it. In another console, run needrestart with root privileges.
At this point, you should get a root shell in the console where the PoC was executed.
<img width="967" height="584" alt="Pasted image 20251030181503" src="https://github.com/user-attachments/assets/0e6ea0b0-d3fb-4bf3-8f1d-b26e87b02756" />
文件快照
[4.0K] /data/pocs/942946ebe02c04e2d2cde62825f30d64416695f9
├── [ 660] binary.sh
├── [1.9K] README.md
└── [ 563] runner.sh
1 directory, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。