NFS has not received much attention of the offensive security community in nearly a decade. This changes today, and we are happy to share our research on the topic: https://www.hvs-consulting.de/en/nfs-security-identifying-and-exploiting-misconfigurations/. I'll give you a short overview:
- For architectural reasons, the default configuration of the Linux NFS server allows you to access all data on a file system, even if only a subdirectory is exported. This means that you can for example read /etc/shadow on Debian and SUSE based systems if another directory on the same file system is exported via NFS
- It is not a big secret that, unless Kerberos is configured, you can simply fake UIDs and GIDs to access data belonging to other users on a NFS export. We bring this to the next level by releasing a fuse driver that does this automatically, alongside with capabilities to escape exports for full file system access.
- We developed another tool that allows you to identify vulnerable NFS servers easily
Check out the blog post for all the details. You can find our tooling on Github: https://github.com/hvs-consulting/nfs-security-tooling
We also publish all our internal research notes in the Github Wiki, so if you are interested to dig deeper into NFS, this is definitely the place to get started!
We want to thank @hxp for bringing this to broader attention by hosting a NFS challenge at #38c3 CTF. Also, big thanks to @skelsec for his awesome libraries and tools, in this case especially for anfs.
#pentest #redteam
FAU @ Chaos Events
edermi
Heaven
Moritz