Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-48990 PoC — needrestart 安全漏洞

Source
https://github.com/Loaxert/CVE-2024-48990-PoC
Associated Vulnerability
Title:needrestart 安全漏洞 (CVE-2024-48990)
Description:Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.
Readme
# CVE-2024-48990-PoC

## What is needrestart and how does it work?
Needrestart is a widely used utility on Linux systems (default on many Ubuntu versions) that checks after a software update whether any service or the system itself needs to be restarted. By analyzing running processes, it determines if they are using updated libraries or if they need to be restarted for changes to take effect.

## How does the vulnerability work?
When needrestart detects a process running a Python interpreter, it reads the environment variable PYTHONPATH associated with that process from /proc/[pid]/environ and then sets it before launching its own Python interpreter for analysis.

If the original process belongs to a local attacker, the attacker can manipulate PYTHONPATH to point to a malicious library.

As a result, when needrestart runs the Python interpreter with root privileges and the manipulated PYTHONPATH, it ends up executing the attacker’s code, leading to a privilege escalation to root.

## Affected Versions

This vulnerability affects only needrestart versions prior to 3.8. Versions 3.8 and later include a fix that properly sanitizes environment variables like PYTHONPATH before invoking the Python interpreter, preventing privilege escalation through malicious environment manipulation.

## Using the PoC
1. Clone the repository.

2. In runner.sh, modify the IP used to fetch the compiled binary so that it points to your own machine.

3. On the attacker’s machine, grant execute permissions and run binary.sh.

4. Set up an HTTP server:

```bash
$ python3 -m http.server
```

5. On the victim machine, copy runner.sh, give it execute permissions, and run it. In another console, run needrestart with root privileges.
At this point, you should get a root shell in the console where the PoC was executed.

<img width="967" height="584" alt="Pasted image 20251030181503" src="https://github.com/user-attachments/assets/0e6ea0b0-d3fb-4bf3-8f1d-b26e87b02756" />
File Snapshot

 [4.0K]  /data/pocs/942946ebe02c04e2d2cde62825f30d64416695f9
├── [ 660]  binary.sh
├── [1.9K]  README.md
└── [ 563]  runner.sh

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →