Port: TCP 2049
Vulnerability: Insecure implementation of file share access.
Mitigation: Assign hostnames/IP addresses to the shares, or use something like TCP Wrappers
Proof of Concept
From our Nmap scan, we found that TCP 2049 was open, and showing that NFS was the service. You could also use a tool like “rpcinfo” to check for these services running on the machine. Here is what rpcinfo shows us:
1. Use the “showmount” command to see which shares are being exported by NFS. The “-e” switch tells showmount to show all exports.
Notice it’s showing the root file system being exported. That can’t be good! Now to get root access.
2. The Nmap scan also showed SSH listening. We’re going to use this to gain access as root. Before we do anything, here’s what we get if we try to connect as root via SSH:
3. Now let’s see if we can take advantage of the writeable file system, giving us the ability to SSH in as root. The first thing we need to do, is generate a new SSH key on our Kali system. We’ll do this using “ssh-keygen”.
4. After we’ve created our SSH key, we need to create a temporary directory to work with, so we’ll run this command:
root@kali:~# mkdir /tmp/ms-nfs
5. Next, we need to run the “mount” command to access the remote file system. From the command line, enter the following:
The “-t” specifies the type of file system it is, which in this case is “nfs”. The “-o” specifies additional options, and here we’re using “nolock” so that the NLM isn’t locking files on the server.
6. The next thing we need to do is get our newly created SSH key over to the server. We need to “cat” our key, and send it to the mount point we created above. Do the following:
This should have appended our SSH key to the victim’s list of authorized keys. Since the root file system was writeable, we’re adding our key to the victim’s root account’s authorized keys.
7. Now we need to unmount our mount point like so:
root@kali:~# umount /tmp/ms-nfs
8. If our key was copied successfully, we should now be able to SSH in as root on the victim’s machine: