Linux Automountd Service Privilege Escalation Vulnerability

漏洞信息

漏洞名称： Linux Automountd Service Privilege Escalation Vulnerability

漏洞类型： 权限提升

漏洞等级： 高危

漏洞描述： 该漏洞影响Linux系统中的automountd服务。automountd是一个用于自动挂载文件系统的服务，广泛应用于各种Linux发行版中，特别是在需要频繁挂载和卸载文件系统的场景下。由于服务配置不当，攻击者可以利用自动挂载选项执行任意命令，从而获得root权限。这种配置问题属于权限提升漏洞，其技术根源在于服务的不安全配置和缺乏适当的访问控制。攻击者可以在不需要认证的情况下利用此漏洞，实现本地权限提升，进而完全控制系统。这可能导致敏感数据泄露、服务中断或其他恶意活动。由于漏洞的利用条件相对简单，且影响范围广泛，因此被评定为高危漏洞。

产品名称： Linux automountd service

来源： https://github.com/projectdiscovery/nuclei-templates/blob/dfc176303ffebe3d9f231045fa3abe2cf2ca9874/misconfiguration%2Flinux%2Flinux-automountd-enabled.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: linux-automountd-enabled

info:
  name: Automountd Service Running - Privilege Escalation Risk
  author: songyaeji
  severity: high
  description: >
    If the automountd service is enabled, a local attacker may execute arbitrary commands using root privileges
    by exploiting automatic mount options. This misconfiguration can lead to local privilege escalation.
  reference:
    - https://isms.kisa.or.kr
    - Cloud Vulnerability Assessment Guide(2024) by KISA
  tags: linux,automountd,service,privilege-escalation,misconfiguration,local
  metadata:
    verified: true
    os: linux
    max-request: 1
  classification:
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.8
    cwe-id: CWE-269

self-contained: true

code:
  - engine:
      - bash
    source: |
      if ps -ef | grep -v grep | grep -q automountd; then
        echo "[VULNERABLE] automountd service is running"
      else
        echo "[SAFE] automountd service is not running"
      fi
    matchers:
      - type: word
        part: code_1_response
        words:
          - "[VULNERABLE] automountd service is running"