Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting NFS Shares

June 2, 2021 | by Stefano Lanaro | Leave a comment

Introduction

Network File System is a protocol that allows users to access files over a computer network much like local storage is accessed, like many other protocols, it builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. If misconfigured, it could allow regular users to escalate privileges to root.

Identifying Vulnerable NFS Shares

NFS runs on port 2049 by default, if it can be accessed remotely, shares can be enumerated through the Showmount utility:

The Nmap nfs-showmount script can also be used to enumerate open NFS shares.

If port 2049 is not open to remote connections, SSH port forwarding can be used to forward connections to the Kali host to the target host on port 2049:

ssh -fN -L local_poort:localhost:remote_port user@ip_address

NFS shares can be enumerated locally by inspecting the /etc/exports file:

Enumeration scripts such as LinPEAS will also be able to enumerate misconfigured NFS shares that could allow for privilege escalation:

It appears the /tmp share has the no_root_squash option enabled. When in use, this setting can be quite dangerous, as it will allow remote root users that have mounted the share in their local system to change any file on it as root and leave malicious applications for other users to inadvertently execute. This can be exploited by copying a binary to the share, making it root-owned and assigning SUID permissions to it so that regular users will be able to run it as root.

Exploiting Vulnerable NFS Shares

In order to exploit the vulnerable NFS share, a binary has to be placed on it so that the SUID permission can be assigned to it from the local Kali host. As an example, copying the /bin/bash binary to /tmp (which is where the share is mounted) as a regular user:

Creating a new /tmp/share folder and mounting the share on it:

sudo mount -o [options] -t nfs ip_address:share directory_to_mount

Since the share was mounted locally with the no_root_squash option enabled, this gives root access to files within the share. On the local Kali host, giving the Bash binary root ownership and SUID permission:

It can then be executed as a regular user with the -p flag, which allows to execute binaries as the owner of it, this grants root access to the host:

Conclusion

NFS is a very powerful tool which makes life easier for a lot of users, although like many other services, if misconfigured it could allow regular users to escalate privileges to root, resulting in a full system compromise.