Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-48990 PoC — needrestart 安全漏洞

Source
https://github.com/Loaxert/CVE-2024-48990-PoC
Associated Vulnerability
Title:needrestart 安全漏洞 (CVE-2024-48990)
Description:needrestart是liske个人开发者的一款用于检查升级后需要重新启动哪些守护进程的工具。 needrestart 3.8之前版本存在安全漏洞,该漏洞源于允许本地攻击者通过诱骗needrestart使用攻击者控制的PYTHONPATH环境变量运行Python解释器,并以root身份执行任意代码。
Readme
# CVE-2024-48990-PoC

## What is needrestart and how does it work?
Needrestart is a widely used utility on Linux systems (default on many Ubuntu versions) that checks after a software update whether any service or the system itself needs to be restarted. By analyzing running processes, it determines if they are using updated libraries or if they need to be restarted for changes to take effect.

## How does the vulnerability work?
When needrestart detects a process running a Python interpreter, it reads the environment variable PYTHONPATH associated with that process from /proc/[pid]/environ and then sets it before launching its own Python interpreter for analysis.

If the original process belongs to a local attacker, the attacker can manipulate PYTHONPATH to point to a malicious library.

As a result, when needrestart runs the Python interpreter with root privileges and the manipulated PYTHONPATH, it ends up executing the attacker’s code, leading to a privilege escalation to root.

## Affected Versions

This vulnerability affects only needrestart versions prior to 3.8. Versions 3.8 and later include a fix that properly sanitizes environment variables like PYTHONPATH before invoking the Python interpreter, preventing privilege escalation through malicious environment manipulation.

## Using the PoC
1. Clone the repository.

2. In runner.sh, modify the IP used to fetch the compiled binary so that it points to your own machine.

3. On the attacker’s machine, grant execute permissions and run binary.sh.

4. Set up an HTTP server:

```bash
$ python3 -m http.server
```

5. On the victim machine, copy runner.sh, give it execute permissions, and run it. In another console, run needrestart with root privileges.
At this point, you should get a root shell in the console where the PoC was executed.

<img width="967" height="584" alt="Pasted image 20251030181503" src="https://github.com/user-attachments/assets/0e6ea0b0-d3fb-4bf3-8f1d-b26e87b02756" />
File Snapshot

 [4.0K]  /data/pocs/942946ebe02c04e2d2cde62825f30d64416695f9
├── [ 660]  binary.sh
├── [1.9K]  README.md
└── [ 563]  runner.sh

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.