new critical linux exploit has been hiding for 10 years.

Low Level

22 Nov 202409:32

Summary

TLDRIn this video, the host discusses a critical vulnerability in the Linux tool 'needrestart,' which checks if processes need to be restarted after system updates. This bug, present for nearly a decade, allows attackers to exploit Python processes by manipulating the PYTHONPATH environment variable to execute arbitrary code as root. The video explains the exploitation process, demonstrates a proof of concept, and offers advice on how to mitigate the vulnerability by upgrading to the patched version of 'needrestart.' A must-watch for security enthusiasts and Linux users.

Takeaways

😀 The `needrestart` program in Linux checks for outdated libraries and suggests restarting processes that depend on them.
😀 A recent vulnerability was discovered in `needrestart` that allows for privilege escalation from a non-root user to root.
😀 This bug has been present in Linux for about 10 years, unnoticed until it was found by the Quality Security team.
😀 The vulnerability occurs when `needrestart` scans user-mode processes, particularly Python processes, for outdated libraries.
😀 The vulnerability exploits the way `needrestart` handles the Python `PYTHONPATH` environment variable to load libraries.
😀 An attacker can place a malicious shared object in a user-controlled Python path, which gets executed as root by `needrestart`.
😀 The exploit works by crafting a shared object that, when loaded, runs arbitrary code with root privileges, such as spawning a root shell.
😀 A proof of concept was demonstrated where an attacker could use the `needrestart` vulnerability to gain root access on a system.
😀 The vulnerability is triggered when an admin runs commands like `sudo apt upgrade`, which causes `needrestart` to scan processes.
😀 To mitigate the risk, users need to update `needrestart` to a version that patches the vulnerability and prevents this exploitation.
😀 The video concludes that even rewriting `needrestart` in Rust would not have prevented the vulnerability, as it stems from logic issues in handling environment variables.

Q & A

What is the primary function of the 'need restart' program in Linux?
-The 'need restart' program in Linux checks whether any running processes are using outdated libraries after system updates. It scans all user-mode processes and determines if they need to be restarted due to library changes, such as updates to libc or Python.
What security vulnerability was recently discovered in 'need restart'?
-A privilege escalation vulnerability was discovered in the 'need restart' program, allowing local users to escalate their privileges to root. This flaw has been present for about 10 years.
How does the 'need restart' program operate to check for outdated libraries?
-The program scans all running processes after an update, checking if any are using outdated libraries. If a process is identified as depending on an old version of a library, 'need restart' prompts the user to restart the service.
What are the CVEs found by Quality Security related to 'need restart'?
-Quality Security identified five CVEs in 'need restart' that allow local privilege escalation. These CVEs enable a non-privileged user to gain root access on a system.
What specific issue in 'need restart' allows privilege escalation?
-The vulnerability arises from how 'need restart' handles Python processes. Specifically, the program scans the Python environment variable (python path) and, if maliciously set, executes user-specified code with root privileges.
What is the role of the 'python path' in exploiting this vulnerability?
-The 'python path' environment variable specifies where Python loads its libraries from. By placing a malicious shared object in a user-controlled Python path, an attacker can trick 'need restart' into executing arbitrary code as root.
How can an attacker exploit the 'need restart' vulnerability?
-An attacker can place a malicious shared object in a Python path, which will be executed when 'need restart' scans for running Python processes. This leads to the execution of code with root privileges, allowing the attacker to escalate their access.
What is the proof of concept used to demonstrate the 'need restart' vulnerability?
-The proof of concept involves creating a malicious shared object (in 'import lib') that triggers the execution of a root shell when 'need restart' runs. The object is placed in the Python path, and when the program scans processes, it executes the malicious code.
What is the final step in the exploit to gain root access on the system?
-Once the malicious Python path is executed by 'need restart', a shell is copied to a temporary directory with set UID root permissions. The attacker can then use this shell to gain root access by executing it.
Would rewriting 'need restart' in Rust have prevented this vulnerability?
-No, rewriting 'need restart' in Rust would not have fixed this vulnerability. The issue is not with the language itself but with the logic of how the environment variable (python path) is handled and executed, which could occur in any language.