Bug 11601 - Shell command injection - samba-tool domain classicupgrade
Shell command injection - samba-tool domain classicupgrade
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Python
All Linux
: P5 normal
: ---
Assigned To: Jelmer Vernooij
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2015-11-14 20:50 UTC by Bernd Dietzel
Modified: 2015-11-24 23:45 UTC (History)
3 users (show)

See Also:

Exploit Screenshot , Linux (423.95 KB, image/png)
2015-11-14 20:50 UTC, Bernd Dietzel
no flags Details
patch for 4.3 (1.59 KB, patch)
2015-11-16 05:33 UTC, Uri Simchoni
no flags Details
patch for 4.2 (1.61 KB, patch)
2015-11-16 05:34 UTC, Uri Simchoni
no flags Details
patch for 4.1 (1.61 KB, patch)
2015-11-16 05:36 UTC, Uri Simchoni
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bernd Dietzel 2015-11-14 20:50:55 UTC
Created attachment 11597 [details]
Exploit Screenshot , Linux

This python script allows the shell code injection :


This function uses os.popen() wich injects the command in testparm, varname and the path to the smbconf :

def get_testparm_var(testparm, smbconf, varname):
    cmd = "%s -s -l --parameter-name='%s' %s 2>/dev/null" % (testparm, varname, smbconf)
    output = os.popen(cmd, 'r').readline()
    return output.strip()

--> So please use subprocess.Popen() , not os.popen()

Demo Exploit :

1) Put a shell command in the folder name , e.g. ";xeyes;#"


<theregrunner is my user name, you change this to your user name>

2) start samba tool like this :

sudo samba-tool domain classicupgrade '/home/theregrunner/;xeyes;#/smb.conf' --testparm /usr/bin/testparm

3) Now the xeyes program runs as root
Comment 1 Uri Simchoni 2015-11-15 14:41:44 UTC
I'm not sure how severe this actually is, since samba-tool, AFAICT, only runs from a shell prompt, and so in order to exploit it, one would have to gain shell access, but in that case one might just the malicious program and not inject it via samba-tool.

However, code injection is nasty, and in this case, easy to fix, so a fixed is being pushed to master and will then be backported.
Comment 2 Uri Simchoni 2015-11-16 05:33:19 UTC
Created attachment 11601 [details]
patch for 4.3
Comment 5 Andrew Bartlett 2015-11-24 20:31:36 UTC
Thanks for the report.  

After private discussion, we have decided that samba-tool is not a security boundary, so no security advisory will be issued for this bug.  There are many other ways to 'inject' privileged configuration via samba-tool, because the purpose of the tool is to perform administration. 

As such we have merged the patch into master as 22386dc39673f66de2dd57596447acf3c6c00ef7
Comment 6 Bernd Dietzel 2015-11-24 20:37:19 UTC
Thank you for fixing the bug :-)
Comment 7 Andrew Bartlett 2015-11-24 21:02:52 UTC
As this isn't a security issue, opening the bug back up to the public.
Comment 8 Bernd Dietzel 2015-11-24 21:15:36 UTC
We should hope no one imports his smb.conf from a cloud share (webdav) with some part of the path string in the hands of other people ... or stores it on an foreign usbstick with shell code in the usbstick name (the name of the stick is in the path) Then it may get a security issue ;-)
Comment 9 Jeremy Allison 2015-11-24 23:45:45 UTC
(In reply to Bernd Dietzel from comment #8)

Anyone who can write into smb.conf has root. That's just the way Samba works.