Created attachment 11597 [details]
Exploit Screenshot , Linux
This python script allows the shell code injection :
This function uses os.popen() wich injects the command in testparm, varname and the path to the smbconf :
def get_testparm_var(testparm, smbconf, varname):
cmd = "%s -s -l --parameter-name='%s' %s 2>/dev/null" % (testparm, varname, smbconf)
output = os.popen(cmd, 'r').readline()
--> So please use subprocess.Popen() , not os.popen()
Demo Exploit :
1) Put a shell command in the folder name , e.g. ";xeyes;#"
<theregrunner is my user name, you change this to your user name>
2) start samba tool like this :
sudo samba-tool domain classicupgrade '/home/theregrunner/;xeyes;#/smb.conf' --testparm /usr/bin/testparm
3) Now the xeyes program runs as root
I'm not sure how severe this actually is, since samba-tool, AFAICT, only runs from a shell prompt, and so in order to exploit it, one would have to gain shell access, but in that case one might just the malicious program and not inject it via samba-tool.
However, code injection is nasty, and in this case, easy to fix, so a fixed is being pushed to master and will then be backported.
Created attachment 11601 [details]
patch for 4.3
Thanks for the report.
After private discussion, we have decided that samba-tool is not a security boundary, so no security advisory will be issued for this bug. There are many other ways to 'inject' privileged configuration via samba-tool, because the purpose of the tool is to perform administration.
As such we have merged the patch into master as 22386dc39673f66de2dd57596447acf3c6c00ef7
Thank you for fixing the bug :-)
As this isn't a security issue, opening the bug back up to the public.
We should hope no one imports his smb.conf from a cloud share (webdav) with some part of the path string in the hands of other people ... or stores it on an foreign usbstick with shell code in the usbstick name (the name of the stick is in the path) Then it may get a security issue ;-)
(In reply to Bernd Dietzel from comment #8)
Anyone who can write into smb.conf has root. That's just the way Samba works.