Summary
The ndsudo
tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions.
Details
The ndsudo
tool is packaged as a root
-owned executable with the SUID bit set.
It only runs a restricted set of external commands, but its search paths are supplied by the PATH
environment variable. This allows an attacker to control where ndsudo
looks for these commands, which may be a path the attacker has write access to.
PoC
As a user that has permission to run ndsudo
:
- Place an executable with a name that is on
ndsudo
’s list of commands (e.g. nvme
) in a writable path
- Set the
PATH
environment variable so that it contains this path
- Run
ndsudo
with a command that will run the aforementioned executable
Impact
Local privilege escalation.
Summary
The
ndsudo
tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions.Details
The
ndsudo
tool is packaged as aroot
-owned executable with the SUID bit set.It only runs a restricted set of external commands, but its search paths are supplied by the
PATH
environment variable. This allows an attacker to control wherendsudo
looks for these commands, which may be a path the attacker has write access to.PoC
As a user that has permission to run
ndsudo
:ndsudo
’s list of commands (e.g.nvme
) in a writable pathPATH
environment variable so that it contains this pathndsudo
with a command that will run the aforementioned executableImpact
Local privilege escalation.