Bug 11601 - Shell command injection - samba-tool domain classicupgrade
Summary: Shell command injection - samba-tool domain classicupgrade
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Python (show other bugs)
Version: 4.1.17
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Jelmer Vernooij
QA Contact: Samba QA Contact
URL: https://bugs.launchpad.net/ubuntu/+so...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-14 20:50 UTC by Bernd Dietzel
Modified: 2015-11-24 23:45 UTC (History)
3 users (show)

See Also:

Attachments
Exploit Screenshot , Linux (423.95 KB, image/png)
2015-11-14 20:50 UTC, Bernd Dietzel 		no flags Details
patch for 4.3 (1.59 KB, patch)
2015-11-16 05:33 UTC, Uri Simchoni 		no flags Details
patch for 4.2 (1.61 KB, patch)
2015-11-16 05:34 UTC, Uri Simchoni 		no flags Details
patch for 4.1 (1.61 KB, patch)
2015-11-16 05:36 UTC, Uri Simchoni 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bernd Dietzel 2015-11-14 20:50:55 UTC 
Created attachment 11597 [details]
Exploit Screenshot , Linux

This python script allows the shell code injection :

/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py

This function uses os.popen() wich injects the command in testparm, varname and the path to the smbconf :

def get_testparm_var(testparm, smbconf, varname):
    cmd = "%s -s -l --parameter-name='%s' %s 2>/dev/null" % (testparm, varname, smbconf)
    output = os.popen(cmd, 'r').readline()
    return output.strip()

--> So please use subprocess.Popen() , not os.popen()

Demo Exploit :
=============

1) Put a shell command in the folder name , e.g. ";xeyes;#"

/home/theregrunner/;xeyes;#/smb.conf

<theregrunner is my user name, you change this to your user name>

2) start samba tool like this :

sudo samba-tool domain classicupgrade '/home/theregrunner/;xeyes;#/smb.conf' --testparm /usr/bin/testparm

3) Now the xeyes program runs as root
Comment 1 Uri Simchoni 2015-11-15 14:41:44 UTC 
I'm not sure how severe this actually is, since samba-tool, AFAICT, only runs from a shell prompt, and so in order to exploit it, one would have to gain shell access, but in that case one might just the malicious program and not inject it via samba-tool.

However, code injection is nasty, and in this case, easy to fix, so a fixed is being pushed to master and will then be backported.
Comment 2 Uri Simchoni 2015-11-16 05:33:19 UTC 
Created attachment 11601 [details]
patch for 4.3
Comment 5 Andrew Bartlett 2015-11-24 20:31:36 UTC 
Thanks for the report.  

After private discussion, we have decided that samba-tool is not a security boundary, so no security advisory will be issued for this bug.  There are many other ways to 'inject' privileged configuration via samba-tool, because the purpose of the tool is to perform administration. 

As such we have merged the patch into master as 22386dc39673f66de2dd57596447acf3c6c00ef7
Comment 6 Bernd Dietzel 2015-11-24 20:37:19 UTC 
Thank you for fixing the bug :-)
Comment 7 Andrew Bartlett 2015-11-24 21:02:52 UTC 
As this isn't a security issue, opening the bug back up to the public.
Comment 8 Bernd Dietzel 2015-11-24 21:15:36 UTC 
We should hope no one imports his smb.conf from a cloud share (webdav) with some part of the path string in the hands of other people ... or stores it on an foreign usbstick with shell code in the usbstick name (the name of the stick is in the path) Then it may get a security issue ;-)
Comment 9 Jeremy Allison 2015-11-24 23:45:45 UTC 
(In reply to Bernd Dietzel from comment #8)

Anyone who can write into smb.conf has root. That's just the way Samba works.