NFS no_root_squash/no_all_squash misconfiguration PE
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Read the _ /etc/exports _ file, if you find some directory that is configured as no_root_squash, then you can access it from as a client and write inside that directory as if you were the local root of the machine.
no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications.
no_all_squash: This is similar to no_root_squash option but applies to non-root users. Imagine, you have a shell as nobody user; checked /etc/exports file; no_all_squash option is present; check /etc/passwd file; emulate a non-root user; create a suid file as that user (by mounting using nfs). Execute the suid as nobody user and become different user.
If you have found this vulnerability, you can exploit it:
Mounting that directory in a client machine, and as root copying inside the mounted folder the /bin/bash binary and giving it SUID rights, and executing from the victim machine that bash binary.
Mounting that directory in a client machine, and as root copying inside the mounted folder our come compiled payload that will abuse the SUID permission, give to it SUID rights, and execute from the victim machine that binary (you can find here some C SUID payloads).
Note that if you can create a tunnel from your machine to the victim machine you can still use the Remote version to exploit this privilege escalation tunnelling the required ports.
The following trick is in case the file /etc/exports indicates an IP. In this case you won't be able to use in any case the remote exploit and you will need to abuse this trick.
Another required requirement for the exploit to work is that the export inside /etc/export must be using the insecure flag.
--I'm not sure that if /etc/export is indicating an IP address this trick will work--
The scenario involves exploiting a mounted NFS share on a local machine, leveraging a flaw in the NFSv3 specification which allows the client to specify its uid/gid, potentially enabling unauthorized access. The exploitation involves using libnfs, a library that allows for the forging of NFS RPC calls.
The library compilation steps might require adjustments based on the kernel version. In this specific case, the fallocate syscalls were commented out. The compilation process involves the following commands:
The exploit involves creating a simple C program (pwn.c) that elevates privileges to root and then executing a shell. The program is compiled, and the resulting binary (a.out) is placed on the share with suid root, using ld_nfs.so to fake the uid in the RPC calls:
Compile the exploit code:
Place the exploit on the share and modify its permissions by faking the uid:
Execute the exploit to gain root privileges:
Once root access is obtained, to interact with the NFS share without changing ownership (to avoid leaving traces), a Python script (nfsh.py) is used. This script adjusts the uid to match that of the file being accessed, allowing for interaction with files on the share without permission issues:
Run like:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
