Signature Detail

RPC: Automount Daemon Buffer Overflow

This signature detects attempts to exploit a known vulnerability against the log functions of Automounter (amd), a daemon that automatically mounts filesystems when files or directories within that filesystem are accessed. Amd also unmounts non-active filesystems. Attackers can send a maliciously crafted long string to the AMQPROC_MOUNT procedure to overflow the buffer and gain root access.

Extended Description

There is a remotely exploitable buffer overflow condition in the amd daemon under several operating systems. Amd is a daemon that automatically mounts filesystems whenever a file or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have become quiescent. The vulnerability is in the log functions of the daemon. Red Hat Linux 4.2 shipped originally with a version of amd that is no longer being maintained. Since Red Hat Linux 5.0 we have switched to am-utils. This release of am-utils has been backported to 4.2 and it will obsolete the original 4.2 amd package.

Affected Products

• BSD BSD/OS 3.1.0
• BSD BSD/OS 4.0.1
• FreeBSD 3.0.0
• FreeBSD 3.1.0
• FreeBSD 3.2.0
• Red Hat Linux 4.2.0
• Red Hat Linux 5.0.0
• Red Hat Linux 5.1.0
• Red Hat Linux 5.2.0 i386
• Red Hat Linux 6.0.0

References

• BugTraq: 614
• CVE: CVE-1999-0704
• URL: http://www.cert.org/advisories/CA-1999-12.html
• URL: http://securityfocus.com/bid/614
• URL: http://www.ciac.org/ciac/bulletins/j-071.shtml