👩🏫NFS Root Squashing
Escalation via NFS Root Squashing
Introduction
Network File System (NFS) is a distributed file system protocol that allows a client to access files over a network as if they were on its local hard drive. NFS Root Squashing is a security feature that restricts the root user's access on the NFS client, preventing them from having superuser privileges on the NFS server.
Understanding NFS Root Squashing
When a user on an NFS client attempts to access files on an NFS server, the server checks the user's identity. If the user is the root on the client machine, NFS Root Squashing maps the root user's UID and GID to a non-privileged user's UID and GID on the NFS server. This is done to prevent a compromised or malicious root user on the client from gaining unrestricted access to files on the server.
Exploiting NFS Root Squashing for Privilege Escalation
If an NFS share is misconfigured with weak permissions or improperly set root squashing, an attacker might find ways to abuse this feature for privilege escalation. Here's a general process an attacker might follow:
Identify NFS Mounts:
Use commands like
showmount -e <NFS_SERVER>
on the attacker's machine to identify NFS shares.
Check Mount Options:
Inspect the mount options on the client. Look for the presence of
no_root_squash
or weak permissions.
Craft Malicious Payloads:
If root squashing is in effect, the attacker can craft payloads that manipulate files within the NFS share.
Exploit Weak Permissions:
If the NFS share has weak permissions, the attacker may be able to create or overwrite files that could lead to privilege escalation.
Abuse Trust Relationships:
If the NFS server trusts the client, the attacker might manipulate files in a way that the server will execute malicious code.
Let's see:
We see "no root squash", that's interesting..
On our attacker machine, we can:
and on our victim machine we can now see:
Explanation:
Show NFS Exports:
The
showmount
command is used to display the NFS (Network File System) exports on the victim machine. It reveals that the/tmp
directory is exported.Create a Mount Point:
A local directory (
/tmp/mountme
) is created on the attacking machine to mount the exported directory.Mount the NFS Share:
The
mount
command is used to mount the NFS share from the victim machine (10.10.230.125:/tmp
) onto the local mount point (/tmp/mountme
). The optionsrw
indicate read and write access, andvers=2
specifies the NFS version.Create a Malicious C Program:
A simple C program (
x.c
) is created within the mounted directory that sets the GID and UID to 0 (root) and then executes/bin/bash
.Compile the C Program:
The
gcc
compiler is used to compile the C program (x.c
) into a binary executable namedmalicious
within the mounted directory.Set SUID Bit:
The SUID bit is set on the compiled binary, allowing it to run with the privileges of the file owner (root). This enables a non-root user to execute the binary with elevated privileges.
After completing these steps, the attacker can execute the compiled malicious
binary from the local mount point (/tmp/mountme
), leading to the execution of a root shell on the victim machine:
Last updated