CVE-2025-10230: s4:wins: restrict names fed to shell

If the "wins hook" smb.conf parameter is set, the WINS server will
attempt to execute that value in a shell command line when a client
asks to modify a name. The WINS system is a trusting one, and clients
can claim any NETBIOS name they wish.

With the source3 nmbd WINS server (since the 1999 commit now called
3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7) the wins hook will not be
run for names that contain shell metacharacters. This restriction has
not been present on the source4 nbt WINS server, which is the WINS
server that will be used in the event that an Active Directory Domain
Controller is also running WINS.

This allowed an unauthenticated client to execute arbitrary commands
on the server.

This commit brings the nmbd check into the nbt WINS server, so that
the wins hook will only be run for names that contain only letters,
digits, hyphens, underscores and periods. This matches the behaviour
described in the smb.conf man page.

The source3 nmbd WINS server has another layer of protection, in that
it uses the smb_run() exec wrapper that tries to escape arguments. We
don't do that here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15903

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Oct 21 19:43:25 UTC 2025 on atb-devel-224

diff --git a/selftest/knownfail.d/samba4.nbt.wins.wins_bad_names b/selftest/knownfail.d/samba4.nbt.wins.wins_bad_names
deleted file mode 100644 (file)
index 52388ce..0000000
--- a/selftest/knownfail.d/samba4.nbt.wins.wins_bad_names
+++ /dev/null
@@ -1 +0,0 @@
-samba4.nbt.wins.wins_bad_names

diff --git a/source4/nbt_server/wins/wins_hook.c b/source4/nbt_server/wins/wins_hook.c
index 1af471b15bc5ac9b1f117908557ef4d438ad8bca..442141fecdde3c21e31d751c82eac1b3c396b653 100644 (file)
--- a/source4/nbt_server/wins/wins_hook.c
+++ b/source4/nbt_server/wins/wins_hook.c
@@ -43,9 +43,18 @@ void wins_hook(struct winsdb_handle *h, const struct winsdb_record *rec,
        int child;
        char *cmd = NULL;
        TALLOC_CTX *tmp_mem = NULL;
+       const char *p = NULL;
 
        if (!wins_hook_script || !wins_hook_script[0]) return;
 
+       for (p = rec->name->name; *p; p++) {
+               if (!(isalnum((int)*p) || strchr_m("._-", *p))) {
+                       DBG_ERR("not calling wins hook for invalid name %s\n",
+                               rec->name->name);
+                       return;
+               }
+       }
+
        tmp_mem = talloc_new(h);
        if (!tmp_mem) goto failed;