WIP: Ubuntu needrestart LPE (CVE-2024-48990) #19676
Conversation
| version = cmd_exec('cat /etc/issue | cut -d " " -f 2').strip | ||
| version = version.slice(0, 5) # take off any extra version info | ||
| return CheckCode::Safe("Ubuntu version #{version} is not vulnerable") unless fixed_versions.key? version |
There was a problem hiding this comment.
Why couldn't those versions of Ubuntu run a vulnerable version of needrestart?
| package = cmd_exec('dpkg -l needrestart | grep \'^ii\'') | ||
| package = package.split(' ')[2] | ||
| package = package.gsub('+', '.') |
There was a problem hiding this comment.
Isn't there a mixin to check if a package is installed and get its version?
There was a problem hiding this comment.
not that i'm aware of. took a quick look and didn't see any, but seems like a good idea. I coded out an Ubuntu based one. I'll throw it up in a few days once its more tested
| vprint_status("Uploading payload: #{payload_path}") | ||
| register_files_for_cleanup(payload_path) | ||
|
|
||
| # our c stub file does our chmod/chown/suid for the payload |
There was a problem hiding this comment.
Wouldn't it be better to use metasploit's options/features to prepend the setuid call to the payload, instead of having it in the stub?
There was a problem hiding this comment.
it may be possible, this was a copy of the PoC with no additions.
However, I'm not sure if it would work since the c_stub is originally called by the python script itself. It fails to do the chmod etc. The python stub then waits watching for our payload to get modified.
needrestart is run by sudo/root/etc, which then runs our c_stub, changes the permissions. It may be possible to modify c_stub so that it executes the payload directly only if it detects itself running as root. That would take out some system complexity, but i may need some @zeroSteiner (or other r7) on updating the code to work in metasm (updated code coming soon).
There was a problem hiding this comment.
looks like this can be refined some more, further testing will happen this week
h00die
changed the title
Fixes #19675
Working exploit based on PoC, needs a lot of optimization and checks though. Putting here since it was announced 3 days ago, so some penetester may want it early.
Verification
use exploit/linux/local/ubuntu_needrestart_lpeset lhost <ip>set lport <port>set session <session>run