From: Douglas Bagnall Date: Wed, 3 Sep 2025 02:20:24 +0000 (+1200) Subject: CVE-2025-10230: s4:wins: restrict names fed to shell X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f25e8ccf0d17fac19f6059ab91534485c8a3ad5a;p=thirdparty%2Fsamba.git CVE-2025-10230: s4:wins: restrict names fed to shell If the "wins hook" smb.conf parameter is set, the WINS server will attempt to execute that value in a shell command line when a client asks to modify a name. The WINS system is a trusting one, and clients can claim any NETBIOS name they wish. With the source3 nmbd WINS server (since the 1999 commit now called 3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7) the wins hook will not be run for names that contain shell metacharacters. This restriction has not been present on the source4 nbt WINS server, which is the WINS server that will be used in the event that an Active Directory Domain Controller is also running WINS. This allowed an unauthenticated client to execute arbitrary commands on the server. This commit brings the nmbd check into the nbt WINS server, so that the wins hook will only be run for names that contain only letters, digits, hyphens, underscores and periods. This matches the behaviour described in the smb.conf man page. The source3 nmbd WINS server has another layer of protection, in that it uses the smb_run() exec wrapper that tries to escape arguments. We don't do that here. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15903 Signed-off-by: Douglas Bagnall Reviewed-by: Gary Lockyer Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Tue Oct 21 19:43:25 UTC 2025 on atb-devel-224 --- diff --git a/selftest/knownfail.d/samba4.nbt.wins.wins_bad_names b/selftest/knownfail.d/samba4.nbt.wins.wins_bad_names deleted file mode 100644 index 52388ce5749..00000000000 --- a/selftest/knownfail.d/samba4.nbt.wins.wins_bad_names +++ /dev/null @@ -1 +0,0 @@ -samba4.nbt.wins.wins_bad_names diff --git a/source4/nbt_server/wins/wins_hook.c b/source4/nbt_server/wins/wins_hook.c index 1af471b15bc..442141fecdd 100644 --- a/source4/nbt_server/wins/wins_hook.c +++ b/source4/nbt_server/wins/wins_hook.c @@ -43,9 +43,18 @@ void wins_hook(struct winsdb_handle *h, const struct winsdb_record *rec, int child; char *cmd = NULL; TALLOC_CTX *tmp_mem = NULL; + const char *p = NULL; if (!wins_hook_script || !wins_hook_script[0]) return; + for (p = rec->name->name; *p; p++) { + if (!(isalnum((int)*p) || strchr_m("._-", *p))) { + DBG_ERR("not calling wins hook for invalid name %s\n", + rec->name->name); + return; + } + } + tmp_mem = talloc_new(h); if (!tmp_mem) goto failed;