NFS, or Network File System, is a network protocol that allows for file sharing across a network. This protocol allows users access to remote data from devices within a shared network. To make this possible, NFS implements a “mount” command for directories that enables clients to connect with these directories over the network. However, if NFS shares are left insecure, serious consequences can drastically impact a network allowing attackers full access to sensitive files and vulnerable directories.
This article will showcase how exploiting NFS is possible and how to remediate it. For guidance I used
Tools I used:
- Kali Linux
- Metasploitable 2
- Tenable Nessus Essentials
- Nmap
- VirtualBox
Scanning A Vulnerable Host Using Nessus Essentials
This exercise was made possible with the use of Metasploitable 2 being configured on a separate host. Meanwhile, Nessus Essentials was configured through my hypervisor. With the use of Nessus Essentials, I configured a Basic Network Scan with credentialed access. The IP address is from a Metasploitable 2 VM that was configured from a host-only adapter through VirtualBox.
Once the scan was complete, I was shown the results for the scanned host. For the sake of this article, I’m only going to focus on the “NFS Exported Share Information Disclosure” vulnerability report. (For continued learning purposes, I’ll explore and document the other vulnerabilities later.)
To obtain more information, click on the vulnerability you wish to investigate. There, you’ll find a description, a brief solution, ports that were scanned, and CVSS scores (Common Vulnerability Scoring System).
Digging Further With Nmap
Nessus was able to generate a report for the NFS Exported Share vulnerability but let’s dig a little further.
To help me, the tool I’ll be using is Nmap. Nmap, or Network Mapper, is an open-source network scanner that normally comes pre-installed through Kali Linux.
To conduct a scan, open the Nmap and type the following: nmap (target IP) -sV . (To conduct the Nmap scan, I had to reconfigure my network settings for both my Kali machine and the Metasploit host to be on the same network via VirtualBox.)
The -sV option helps to detect the versions of services running on the targeted host. From the results, we can see that NFS is running on port 2049.
Now that we can see the port for NFS is open, we’ll need to see if mounting is possible. To do this, run the following command: showmount -e IP
The results should look something like this:
The “/ *” shows that all files and directories can easily be accessed from any machine on the network. From here, we have admin capabilities to make new folders and open files within the directory of the host network. To access the root directory type the command cd / . Next, go ahead and ls the contents with the ls command.
Once listed, you’ll see all the folders that pertain to the root directory. Let’s see if we can find any sensitive user information. Type in the command cd etc and then type the command cat passed. The “cat” commands will allow us to list out the contents in the “passwd” file. A file that contains user information such as user ID, group ID, home directory, and the default shell.
Next, we’ll reveal the Shadow file. The /etc/shadow file is what stores encrypted user passwords. Since we have root privileges from the perspective of the attacker, we can easily view the file.
This was just a small exercise to show how if left open, NFS shares could be easily accessed by a malicious attacker. Now that we were able to maneuver showcase some of the NFS vulnerabilities. Let’s go ahead and write up a report for a potential stakeholder.
NFS Exported Share Information Disclosure Report
Name of Individual Conducting Scanning: Techeiko
Nessus Scanner IP and OS: Kali Linux, 192.168.56.101
Date & Time Scan Started: 1/15/2024 | 10:45 PM
Date & Time Scan Finished: 1/15/2024 | 11:10 PM
Security Issues Identified: NFS Exported Share Information
CVSS: CRITICAL: 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Description
Remote Procedure Call (RPC) is a software communication protocol that enables programs to request services from other programs hosted on different devices on a separate network. The scanned host has made network file system (NFS) shares available making their file system/ directory easily accessible. This enables attackers the access to gain elevated privileges over sensitive files.
Remediation
- Refrain from using NFS with default configurations
- Make sure the latest OS patches are installed
- Configure the NFS server through a firewall
- Configure the NFS server with the least privilege to prevent overwriting
important data. - Implement Secure NFS for authenticated transactions
- Configure NFS on the remote host so that only authorized hosts can
mount the remote shares.
Consequences
- Remote attackers can mount NFS file systems
- The attacker can read and overwrite important files
- Disclose directory listings
References
- CVE
— CVE-1999–0170
— CVE-1999–0211
— CVE-1999–0554 - General guidelines for securing Network File System
Conclusion
If not properly secured NFS can be a dangerous tool for attackers to utilize. To avoid this, never use NFS with default configurations. Best practices involve, keeping up to date with OS patches, maintaining the least privilege, and creating proper authentication using Secure NFS just to name a few.
The world of vulnerability management is new to me and I needed to access additional resources to better help me understand the topic of NFS more so here is a list of links I used to glide through this exercise!
References
Exploiting NFS share [updated 2021]
NFS Misconfiguration
What is NFS? Understanding the Network File System
General Guidelines For Securing Network File System