- Configured in /etc/exports file
- Remote users can mount shares, access, create, modify files
- By default, created files inherit the REMOTE user's id and group id, EVEN IF THEY DON'T EXIST ON THE NFS SERVER
- If the attackers UID and GID matches with remote user or owners' UID and GID,
- You can write files to the NFS share AS THAT USER
- If a directory is made by the attacker in one of the writable share
- chmod 777 newdir
- Anyone can now write to this directory
Useful commands
# ATTACKER
showmount -e $ip
nmap -sV --script=nfs-showmount $ip
mount -o vers=2 $ip:<share> <local_dir>
# VICTIM
cat /etc/exports
mount | grep nosuid # which dirs prohibit suid executables
mount | grep noexec # which dirs no exec
UID Squashing
root squashing
-
If root_squash is on, root cannot write to the share
-
By default, NFS shares doesn't let a remote user posing as ROOT to create files in the NFS shares as root
- When it does, it turns the file ownership to nfsnobody:nfsnogroup
-
This can be disabled in the configuration
user squashing
- NFS can also be configured to squash uid:gid of any user that writes to a dir