Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <bb119ae4-dfdb-4cdb-bd25-edd7f19005a2@catalyst.net.nz>
Date: Thu, 16 Oct 2025 15:18:25 +1300
From: Douglas Bagnall <douglas.bagnall@...alyst.net.nz>
To: oss-security@...ts.openwall.com
Subject: Re: Samba security releases for CVE-2025-10230 and
 CVE-2025-9640

More about this:

> CVE-2025-10230 https://bugzilla.samba.org/show_bug.cgi?id=15903
> https://www.samba.org/samba/security/CVE-2025-10230.html

The 'wins hook' parameter was introduced in Samba 2.0.6 in 1999. It
pointed to a program to run when a WINS record changed. The man page
said

  The second argument is the NetBIOS name. If the name is not a legal
  name then the wins hook is not called. Legal names contain only
  letters, digits, hyphens, underscores and periods.

which was performed thus:

+	for (p=namerec->name.name; *p; p++) {
+		if (!(isalnum((int)*p) || strchr("._-",*p))) {
+			DEBUG(3,("not calling wins hook for invalid name %s\n", nmb_namestr(&namerec->name)));
+			return;
+		}
+	}

That CVS commit is now called
https://gitlab.com/samba-team/samba/-/commit/e04a63783e7a71abe8aa46ea7da401157232825c
and has this good summary of the use case for a commit message:

  The new "wins hook" option specifies an optional external program to
  call for all WINS changes. This allows you to update your dynamic
  DNS server or ldap database with WINS entries as they are
  created/changed/deleted.

Shell command strings as parameters is quite typical of 1990s Samba
configuration. It was a unix building block and scripts were glue.

In 2007 Samba had a scare[1] with some other unsafe configuration
script options and its wrapper around execl("/bin/sh","sh","-c", cmd)
began to escape shell arguments[2].

[1]https://www.samba.org/samba/security/CVE-2007-2447.html
[2]https://gitlab.com/samba-team/samba/-/blob/master/source3/lib/smbrun.c

That left the Samba 3.0 wins hook parameter doubly protected.

Samba 4 began as a rewrite of Samba in 2004 or earlier, working around
the concept of a virtual NT file system. Quite quickly most of the
development began to focus on Active Directory, which was absent from
Samba 3. The remaining components largely languished, neither
vigorously developed nor used in the real world, though the Samba 4
WINS server was briefly an exception to that rule. A flurry of
activity in early 2006 saw it released as a part of "Samba 4
Technology Preview 1" and as a spin-off project samba4WINS
(https://lwn.net/Articles/169804/). The advantage of the Samba 4
server is could replicate to and from other WINS servers.

Nonetheless, after that the Samba 4 WINS server received no attention.
When Samba 4 was eventually released about 7 years later it was actually
a hybrid of the continually improved Samba 3 file server and the Samba 4
AD DC. This pragmatic un-forking left some overlaps -- there were 2 RPC
servers, 2 NBT servers, 2 WINS servers. Which one you got depended on
whether Samba was configured primarily as a domain controller or a
file server. It is not always clear (to me) which one will run -- the
unused NTVFS file server is kept around for testing, and I half
expected the associated WINS server to have similar status. I think
nobody has looked at it in recent years, because nobody has expected
it to run.

In the last six weeks we have had two reports of this bug. First from
Igor Morgenstern of Aisle Research, and then from Marcos Tolosa from
OWASP (Macros Tolosa obtained CVE-2025-59520 for this before
contacting us). I believe that these are LLM-assisted discoveries.
This is partly because of the coincidence, but also because over the
same period we have had a number of reports similar in tone and detail
that have turned out to be false positives.

This bug persisted I think because we regarded this as dead code, or
as-good-as-dead code, and never looked at it. LLMs without that
preconception came through and pointed out the now glaringly obvious
bug. This is a step up (or sideways) from other static analysers, in
that they seem to follow a taint across domains, from the C variable
into the string and execl call. Conventional analysers are stuck in
e.g. the exact semantics of C. It is hard to judge the true false
positive rate -- we only see what people send us -- but it doesn't
look (or necessarily need to be) spectacular.

Anyway, the summary is the Samba 3/4 history has left us with
unmaintained pockets within our codebase that we ignore because we
assume nobody is using them, but which we don't delete because maybe
somebody is using them. There may not be very many more.

Douglas

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.