code/linux/audit/linux-automountd-enabled.yaml

id: linux-automountd-enabled

info:
  name: Automountd Service Enabled
  author: songyaeji
  severity: medium
  description: |
    The automountd service, when enabled or running, allowed a local attacker to execute arbitrary commands with root privileges by exploiting automatic mount options. This misconfiguration led to local privilege escalation.
  reference:
    - https://isms.kisa.or.kr
  metadata:
    verified: true
  tags: local,linux,privesc,kisa

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      whoami

  - engine:
      - sh
      - bash
    source: |
      if pgrep -x "automountd" > /dev/null; then
        echo "[VULNERABLE] automountd service is running"
      else
        echo "[SAFE] automountd service is not running"
      fi

    matchers-condition: and
    matchers:
      - type: word
        part: response
        words:
          - "root"
        negative: true

      - type: word
        part: response
        words:
          - "[VULNERABLE]"
# digest: 4a0a0047304502203bae281737c0bf4a782527ac4b1f087046778d156478e8942e0f62bc57de275602210080d389c9fdfcdb96b3290985fcbba51ad85076327ed6aabd5af318ba4dc0f0e2:922c64590222798bb761d5b6d8e72950
Add templates to check automount service 2025-08-08 02:17:13 +09:00			`id: linux-automountd-enabled`

			`info:`
restructured 2025-08-21 12:09:15 +05:30			`name: Automountd Service Enabled`
Add templates to check automount service 2025-08-08 02:17:13 +09:00			`author: songyaeji`
restructured 2025-08-21 12:09:15 +05:30			`severity: medium`
			`description: \|`
			`The automountd service, when enabled or running, allowed a local attacker to execute arbitrary commands with root privileges by exploiting automatic mount options. This misconfiguration led to local privilege escalation.`
Add templates to check automount service 2025-08-08 02:17:13 +09:00			`reference:`
			`- https://isms.kisa.or.kr`
			`metadata:`
lint - fix 2025-08-21 15:38:38 +05:30			`verified: true`
restructured 2025-08-21 12:09:15 +05:30			`tags: local,linux,privesc,kisa`
Add templates to check automount service 2025-08-08 02:17:13 +09:00
			`self-contained: true`

			`code:`
			`- engine:`
restructured 2025-08-21 12:09:15 +05:30			`- sh`
Add templates to check automount service 2025-08-08 02:17:13 +09:00			`- bash`
			`source: \|`
restructured 2025-08-21 12:09:15 +05:30			`whoami`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`if pgrep -x "automountd" > /dev/null; then`
Add templates to check automount service 2025-08-08 02:17:13 +09:00			`echo "[VULNERABLE] automountd service is running"`
			`else`
			`echo "[SAFE] automountd service is not running"`
			`fi`
restructured 2025-08-21 12:09:15 +05:30
			`matchers-condition: and`
Add templates to check automount service 2025-08-08 02:17:13 +09:00			`matchers:`
			`- type: word`
Update linux-automountd-enabled.yaml 2025-08-22 17:45:50 +05:30			`part: response`
Add templates to check automount service 2025-08-08 02:17:13 +09:00			`words:`
restructured 2025-08-21 12:09:15 +05:30			`- "root"`
			`negative: true`

			`- type: word`
Update linux-automountd-enabled.yaml 2025-08-22 17:45:50 +05:30			`part: response`
restructured 2025-08-21 12:09:15 +05:30			`words:`
lint - fix 2025-08-21 15:38:38 +05:30			`- "[VULNERABLE]"`
chore: sign templates 🤖 2025-08-23 08:02:48 +00:00			`# digest: 4a0a0047304502203bae281737c0bf4a782527ac4b1f087046778d156478e8942e0f62bc57de275602210080d389c9fdfcdb96b3290985fcbba51ad85076327ed6aabd5af318ba4dc0f0e2:922c64590222798bb761d5b6d8e72950`