NFS (Network File System)
NFS stands for "Network File System" and allows a system to share directories and files with others over a network.
By using NFS, users and programs can access files on remote systems almost as if they were local files. It does this by mounting all, or a portion of a file system on a server. The portion of the file system that is mounted can be accessed by clients with whatever privileges are assigned to each file.
The NFS system is generally implemented on the computer network, where the centralization of data is required for critical resources.
How does it work?
To access data stored on another machine (i.e. a server) the server would implement NFS daemon processes to make data available to clients. The server administrator determines what to make available and ensures it can recognize validated clients.
From the client's side, the machine requests access to exported data, typically by issuing a mount command. If successful, the client machine can then view and interact with the file systems within the decided parameters.
If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such as:
The file handle
The name of the file to be accessed
The user's, user ID
The user's group ID
These are used in determining access rights to the specified file. This is what controls user permissions, I.E read and write of files.
NFS uses RPC (Remote Procedure Calls) to communicate between the client and the server.
Services Necessary to run NFS
Services to make an NFS file system work:
nfs – The nfs service will start the server and the RPC processes necessary for accepting shared systems.
nfslock – The nfslock service starts the RPC processes and allows NFC clients to lock files.
portmap – You can take port reservations from local services with this one. Portmap will respond to messages stating that certain ports are available for file access.
The portmapper runs on port 111 (TCP and UDP).
The NFS server runs on port 2049 (TCP and UDP).
The NFS Lock Manager runs on 3004 (TCP and UDP).
Enumeration of NFS
NFS enumeration enables attackers to identify the exported directories, list of clients connected to the NFS server along with their IP addresses, and the shared data associated with the IP addresses.
Required tools/dependencies/libs: nfs-utils or nfs-common.
Find the NFS process and ports allocated to it
Show available shares
Mount available shares
Un-mount NFS share
Exploiting NFS
Root squashing disabled
By default, on NFS shares- Root Squashing is enabled and prevents anyone connecting to the NFS share from having root access to the NFS volume.
Remote root users are assigned a user “nfsnobody” when connected, which has the least local privileges.
However, if this is turned off, it can allow the creation of SUID bit files, allowing a remote user root access to the connected system.
To check if root squashing is disabled or not we can use the command:
Sample output is shown below:
The /etc/exports location on the NFS server contains a list of clients allowed to share files on the server.
What are files with the SUID bit set?
Essentially, this means that the file or files can be run with the permissions of the file(s) owner/group. If there is a case in which the file has SUID set as the root user or as the super-user, we can leverage this to get a shell with these privileges.
For an NFS share with root squashing disabled, we can upload/copy a bash executable to gain access to the root shell.
To set SUID to root for the bash executable, we can use
Last updated
Was this helpful?