Ubuntu needrestart LPE (CVE-2024-48990) #19676
Conversation
| version = cmd_exec('cat /etc/issue | cut -d " " -f 2').strip | ||
| version = version.slice(0, 5) # take off any extra version info | ||
| return CheckCode::Safe("Ubuntu version #{version} is not vulnerable") unless fixed_versions.key? version |
There was a problem hiding this comment.
Why couldn't those versions of Ubuntu run a vulnerable version of needrestart?
There was a problem hiding this comment.
you could get it running on every version of ubuntu by installing via source code. I'm not bothering with detecting the self-reported version number from the binary due to backporting. Plus its pre-installed on Ubuntu so someone installing a newer version via source code seems unlikely. I think this is good enough for the time being, but am open to PRs if theres a better way
| vprint_status("Uploading payload: #{payload_path}") | ||
| register_files_for_cleanup(payload_path) | ||
|
|
||
| # our c stub file does our chmod/chown/suid for the payload |
There was a problem hiding this comment.
Wouldn't it be better to use metasploit's options/features to prepend the setuid call to the payload, instead of having it in the stub?
There was a problem hiding this comment.
it may be possible, this was a copy of the PoC with no additions.
However, I'm not sure if it would work since the c_stub is originally called by the python script itself. It fails to do the chmod etc. The python stub then waits watching for our payload to get modified.
needrestart is run by sudo/root/etc, which then runs our c_stub, changes the permissions. It may be possible to modify c_stub so that it executes the payload directly only if it detects itself running as root. That would take out some system complexity, but i may need some @zeroSteiner (or other r7) on updating the code to work in metasm (updated code coming soon).
There was a problem hiding this comment.
looks like this can be refined some more, further testing will happen this week
There was a problem hiding this comment.
I thought we may be able to launch the payload from the .so file directly, but even w/ threading (prepend_thread, and with &) , it freezes needrestart. Its a delicate tradeoff between the python script and .so file, so I think this is a good strategy for now. We've already improved on the original PoC by cutting out the build file, and using metasm to avoid the need for gcc/build-essential
h00die
changed the title
There was a problem hiding this comment.
Thank you @h00die ! I just left a couple of comments for you to review when you get a chance.
h00die
changed the title
|
Hello @h00die, I am trying the module against an Ubuntu 22.04. However the target looks not vulnerable, with |
|
https://ubuntu.com/security/CVE-2024-48990 Fixed: 3.5-5ubuntu2.2 So definitely not vulnerable. Are you running the |
ouch, last number was different! not sure if I can get that version from apt gonna try now... EDITOk so, I've installed the vulnerable version of needrestart, however I am having some issue to trigger the vulnerability. From metasploit side I see this, but on the target host when I do: |
Fixes #19675
Exploits needrestart on Ubuntu. Debian and Fedora put out patches, but after putting minor effort into testing them and a bunch of PoCs on github, I gave up trying to make it work. If someone wants to expand this module, be my guest. Happily working on Ubuntu though!
Verification
use exploit/linux/local/ubuntu_needrestart_lpeset lhost <ip>set lport <port>set session <session>run