• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Linux autofs Vulnerability

The autofs module provides support for the automount filesystem, as well as the interface between the kernel and the automountd daemon, which is responsible for the actual mounting. Calls such as chdir() executed in the automount directory are handled by the module, and if the desired directory is defined in the configuration files, automountd then mounts that directory/device. When a chdir() or similar function is called in the autofs directory, by a user doing something along the lines of "cd xxxx", the function fs/autofs/root.c:autofs_root_lookup() is called.

The autofs kernel module does not check the size of the directory names it receives. It is passed the name and the names length through dentry->d_name.name and dentry->d_name.len respectively. Later on it memcpy()'s the name into a 256 byte buffer, using dentry->d_name.len as the number of bytes to copy, without checking its size. A nonprivilaged user may attempt to cd to a directory name exceeding 255 characters. This overwrites memory, probably the kernel stack and anything beyond it, and causes kernel errors or makes the machine reboot .