Ubuntu needrestart LPE (CVE-2024-48990)

[h00die]

Fixes #19675

Exploits needrestart on Ubuntu. Debian and Fedora put out patches, but after putting minor effort into testing them and a bunch of PoCs on github, I gave up trying to make it work. If someone wants to expand this module, be my guest. Happily working on Ubuntu though!

Verification

• Install the application
• Start msfconsole
• Get an initial shell
• Do: use exploit/linux/local/ubuntu_needrestart_lpe
• Do: set lhost <ip>
• Do: set lport <port>
• Do: set session <session>
• Do: run
• You should get a root shell.

[jvoisin]

Why couldn't those versions of Ubuntu run a vulnerable version of needrestart?

[h00die]

you could get it running on every version of ubuntu by installing via source code. I'm not bothering with detecting the self-reported version number from the binary due to backporting. Plus its pre-installed on Ubuntu so someone installing a newer version via source code seems unlikely. I think this is good enough for the time being, but am open to PRs if theres a better way

[jvoisin]

Isn't there a mixin to check if a package is installed and get its version?

[h00die]

not that i'm aware of. took a quick look and didn't see any, but seems like a good idea. I coded out an Ubuntu based one. I'll throw it up in a few days once its more tested

[h00die]

Got one roughly built, coming in a PR shortly

[jvoisin]

Wouldn't it be better to use metasploit's options/features to prepend the setuid call to the payload, instead of having it in the stub?

[h00die]

it may be possible, this was a copy of the PoC with no additions.

However, I'm not sure if it would work since the c_stub is originally called by the python script itself. It fails to do the chmod etc. The python stub then waits watching for our payload to get modified.

needrestart is run by sudo/root/etc, which then runs our c_stub, changes the permissions. It may be possible to modify c_stub so that it executes the payload directly only if it detects itself running as root. That would take out some system complexity, but i may need some @zeroSteiner (or other r7) on updating the code to work in metasm (updated code coming soon).

[h00die]

looks like this can be refined some more, further testing will happen this week

[h00die]

I thought we may be able to launch the payload from the .so file directly, but even w/ threading (prepend_thread, and with &) , it freezes needrestart. Its a delicate tradeoff between the python script and .so file, so I think this is a good strategy for now. We've already improved on the original PoC by cutting out the build file, and using metasm to avoid the need for gcc/build-essential

[cdelafuente-r7]

Thank you @h00die ! I just left a couple of comments for you to review when you get a chance.

[cdelafuente-r7]

Just wondering, since the package version is retrieved by calling dpkg, which is only available on Debian-like distributions, is this line relevant? I might be missing something though.

[cdelafuente-r7]

It looks like Rex::Version.new(package) doesn't return nil in case of failure. Instead it raises an exception or returns Gem::Version.new("0") if package is an empty string or nil.