id: linux-automountd-enabled

info:
  name: Automountd Service Enabled
  author: songyaeji
  severity: medium
  description: |
    The automountd service, when enabled or running, allowed a local attacker to execute arbitrary commands with root privileges by exploiting automatic mount options. This misconfiguration led to local privilege escalation.
  reference:
    - https://isms.kisa.or.kr
  metadata:
    verified: true
  tags: local,linux,privesc,kisa

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      whoami

  - engine:
      - sh
      - bash
    source: |
      if pgrep -x "automountd" > /dev/null; then
        echo "[VULNERABLE] automountd service is running"
      else
        echo "[SAFE] automountd service is not running"
      fi

    matchers-condition: and
    matchers:
      - type: word
        part: response
        words:
          - "root"
        negative: true

      - type: word
        part: response
        words:
          - "[VULNERABLE]"
# digest: 4a0a0047304502203bae281737c0bf4a782527ac4b1f087046778d156478e8942e0f62bc57de275602210080d389c9fdfcdb96b3290985fcbba51ad85076327ed6aabd5af318ba4dc0f0e2:922c64590222798bb761d5b6d8e72950