CVE-2022-30688: Local Privilege Escalation in needrestart .8 through 3.5 due to Unanchored Regexes in Interpreter Detection

CVE-2022-30688 is a security vulnerability announced recently, affecting multiple versions of the needrestart tool (from version .8 to 3.5 before 3.6). This vulnerability allows a local user to escalate their privileges through a flaw in the detection of the Perl, Python, and Ruby interpreters. This post will provide details about the vulnerability, affected versions, exploit process, and possible mitigation steps, along with relevant code snippets and links to original references.

Affected Versions

needrestart-.8 through needrestart-3.5 prior to needrestart-3.6.

Vulnerability Summary

In needrestart, the Perl, Python, and Ruby interpreters are detected by using regular expressions (regexes). However, these regexes are not anchored, which means that they can potentially allow a local user to escalate their privileges when needrestart tries to detect if interpreters are using old source files. This issue arises when an attacker can manipulate the responses to these regexps, leading to the execution of arbitrary code with elevated privileges.

Exploit Details

When needrestart tries to identify outdated interpreters based on source files, it uses regular expressions that are not anchored, making them susceptible to manipulation by a malicious user. The following example shows a snippet of the Perl code that contains the vulnerability:

my $re = qr/^
    (\/.*?)                                 # path to binary
    \(using (\/.*?)\)$                      # path to source file
/msx;

Similarly, below is an example of the regex for identifying outdated Python interpreter

my $python_re = qr/^
    (\/.*(?:python)[^\/]*)                  # path to binary
    (?: +\([^\)]+\))?   # ignore description
    \(using (\/.*?)\)$                      # path to source file
/msx;

And the regex for identifying outdated Ruby interpreter

my $ruby_re = qr/^
    (\/.*(?:ruby)[^\/]*)                    # path to binary
    (?: +\([^\)]+\))?   # ignore description
    \(using (\/.*?)\)$                       # path to source file
/msx;

With these regex expressions, an attacker could modify the responses in a way to trigger arbitrary code execution with elevated privileges.

An example of such a manipulation could be

user@victim:~$ /usr/bin/perl-wrapper "vulnerable_script.pl(using /etc/shadow)"

This command would run the Perl wrapper with a manipulated string that matches the unanchored regex, potentially reading the /etc/shadow file and escalating the user's privileges on the system.

Mitigation

Users should update needrestart to version 3.6 or newer, where the vulnerability has been fixed. Alternatively, users can apply the following patch that properly anchors the regexes:

-module_needrestart/scripts/needrestart-wrapper (original)
+module_needrestart/scripts/needrestart-wrapper (patched)

- my $re = qr/^
+ my $re = qr/^(?:\S+\/)?             # optional command (e.g. sudo)
    (\/.*?)                                 # path to binary
    \(using (\/.*?)\)$                      # path to source file
/msx;

References

1. Official CVE-2022-30688 page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30688
2. needrestart GitHub Repository: https://github.com/liske/needrestart
3. needrestart Changelog: https://github.com/liske/needrestart/blob/master/Changes

Conclusion

CVE-2022-30688 is a security vulnerability that affects multiple versions of the needrestart tool, allowing a local user to escalate their privileges by manipulating unanchored regexes in the detection of outdated interpreters. Users should update their needrestart installations to version 3.6 or apply the provided patch to resolve the issue.

Timeline

Published on: 05/17/2022 19:15:00 UTC
Last modified on: 05/25/2022 18:30:00 UTC