NFS (Network File System) is a distributed file system protocol that allows users on client computers to access files over a network in the same way they would access a local storage. An administrator configures specific locations on the NFS server for data access by clients.
Developed by Sun Microsystems in 1984, this protocol has evolved through several versions - NFSv2, NFSv3, and NFSv4. The first version was developed to connect unix-like hosts. Then NFSv2 which ran on UDP network protocol was released in 1989. In 1994, NFSv3 was released to support asynchronous writes, manage 64 bit files and handle errors more effectively. Finally, NFSv4 with a NFSv4.1 minor release changed the narrative integrating security and adding features to communicate with Windows hosts via the Samba protocol.
NFS service typically runs on TCP/UDP port 111 and 2049
with port 111
for mapping RPC program numbers to their respective ports and port 2049
for establishing connection and data access. It is noteworthy that NFSv4 was designed to work exclusively on port 2049
. To observe NFS communication on the wire see NFS version 4 Communication traffic flow.
|
|
Common Server Application
- Unix systems
- nfs-kernel-server
- nfs-utils
- NFS Ganesha
- Windows systems
- FS-NFS-Service
- Allegro NFS Server
Common Commands
COMMAND | USAGE | DESCRIPTION |
---|---|---|
echo | echo ‘$SHAREPATH $DOMAINorIPorCIDR(server-options)’ » /etc/exports | write share configuration to /etc/exports |
exportfs | exportfs -a -r -o server-options | export /etc/exports where a:all r:re-export o:options |
nfsstat | nfsstat -c -s | entries display NFS statistics where c:client s:server |
mount | mount -t $NFS_VERSION $IPorDomain:/$SHAREDFOLDER $LOCALFOLDER -o client-options | mount the shared folder on the client machine |
showmount | showmount -a -e $DOMAINorIP | list the shared folder |
umount | umount $LOCALFOLDER | unmount the shared folder from client machine |
server-options - ro:read only directory
, rw:read and write directory
, sync:synchronous read/write operation
, async:asynchronous read/write operation
, no_subtree_check:disable nested directory listing
, nohide:enable nested directory listing
, fsid:assign unique NFSv4 file system
, no_root_squash:allows client root UID/GID privileges on directory
, root_squash:disallows client root UID/GID privileges on directory
, all_squash:maps client UID/GID to nobody
, no_all_squash:preserves the client UID/GID on directory
, insecure:allow unprivileged ports for NFS requests
, secure:allow only privileged ports for NFS requests
.
client-options - ro:read only
, rw:read and write
, noexec:prevents binary execution
, nosuid:disables setuid/setguid
, soft:client return error on access failure
, hard:client retries on access failure
, tcp:use TCP connection
, udp:use UDP connection
, vers=VERSION_NUMBER:NFS protocol version to use i.e 2,3,4
, sec=SECURITY_MECHANISM:security flavor to use for authentication i.e sys,kbr5,kbr5i,kbr5p,ntlm
, username=USERNAME:username to authenticate with
, PASSWORD=PASSWORD:password of the user to authenticate with
.
Common Vulnerability
- Exposure of Sensitive Information to an Unauthorized Actor: CWE-200
- Improper Access Control: CWE-284
- Improper Authentication: CWE-287
- Protection Mechanism Failure: CWE-693
Security Best Practices
- Implement access control mechanism on host and shared directories.
- Deploy NFSv4 with authentication and encryption.
- Deploy NFS servers in isolated network.
Exploitation
NFS servers are sink for information. The feature of this technology for mounting remote volumes as though they were resident on the local machine brings great ease to the user. While accessing the exported directory does not grant a full shell on the remote system, an attacker can browser an improperly configured NFS server to discover juicy information that may enable access to the remote server and even escalate their privilege. Hence, an attacker’s inclination when an NFS service is encountered can include:
- What valuable information they can find on all the directories they are able to access.
- Whether they can execute a malicious file with elevated privilege via the remote systems shell.
|
|
References
- https://cloudinfrastructureservices.co.uk/what-is-nfs-network-file-system-how-it-works/
- https://nfs.sourceforge.net/nfs-howto/
- https://learn.microsoft.com/en-us/windows-server/storage/nfs/deploy-nfs
- https://meowmeowattack.github.io/notes/ports-protocols/nfs/
- https://www.giac.org/paper/gsec/8216/nfs-security-trusted-untrusted-environments/112913