Bug 13710 - smbclient more: potential security vulnerability with bad PAGER env
Summary: smbclient more: potential security vulnerability with bad PAGER env
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.9.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-13 07:30 UTC by Nick Volenec
Modified: 2018-12-13 07:46 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Volenec 2018-12-13 07:30:48 UTC
in source4/client/client.c
on line 696

	pager=getenv("PAGER");

	pager_cmd = talloc_asprintf(ctx, "%s %s",(pager? pager:DEFAULT_PAGER), lname);
	rc = system(pager_cmd);

system() is called on the command specified by the systems environmental variable PAGER, since this command is specified by the user's environment it is potentially dangerous.  Some kind of sanity check should be added to check that the pager command is safe.
Comment 1 Andrew Bartlett 2018-12-13 07:46:36 UTC
Thanks for reporting this issue.  However please report any security issues directly to our security team.  Details are at:
https://www.samba.org/samba/contacts.html

On this particular issue:

I can imagine some very limited situations where a trusted script from a restricted shell with a fixed output (yet somehow calling the subcommand 'more', and so PAGER, so not get/put) could allow a break-out, but this really is a long bow.

If someone has control over smbclient, this (man smbclient) would be faster and simpler:

      ! [shell command]
           If shell command is specified, the ! command will execute a shell locally and run the specified shell command. If no command is specified, a local shell
           will be run.

I also can't really think how you could sanitize $PAGER with any practicality. 

Finally, source4/client/client.c is bin/smbclient4, which is not installed.  (The same code is in the production smbclient however). 

I'm therefore going to close this as WONTFIX, but am happy to hear other views. 

Sorry,