CVE-2024-48990 PoC — needrestart 安全漏洞

Source

https://github.com/r0xdeadbeef/CVE-2024-48990-exploit

Associated Vulnerability

Title:needrestart 安全漏洞 (CVE-2024-48990)
Description:needrestart是liske个人开发者的一款用于检查升级后需要重新启动哪些守护进程的工具。 needrestart 3.8之前版本存在安全漏洞，该漏洞源于允许本地攻击者通过诱骗needrestart使用攻击者控制的PYTHONPATH环境变量运行Python解释器，并以root身份执行任意代码。

Description

Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.

Readme

## Proof of Concept (PoC) for CVE-2024-48990 in `needrestart`

**CVE-2024-48990**: Linux Local Privilege Escalation (LPE) via `needrestart`

- **Patched**: Nov 19, 2024
- **More Information**: [Qualys Advisory](https://www.qualys.com/2024/11/19/needrestart/needrestart.txt)

---

## How to Use?

1. Run the script `./start.sh`.
   - This will compile a malicious `importlib` library.
   - It will then start a Python script (`e.py`) that sets up a listener and waits for `needrestart` to be executed by the `root` user.

2. When `needrestart` is triggered (typically by an update like `apt upgrade`), it will load the fake library and execute the payload.

3. Upon successful execution, a shell will be opened.

---

File Snapshot


 [4.0K]  /data/pocs/9da33f5021c70061406cb6a54e72281e61c1ded2
├── [ 323]  e.py
├── [ 553]  lib.c
├── [ 716]  README.md
└── [ 241]  start.sh

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!