15903 – (CVE-2025-10230) CVE-2025-10230 [SECURITY] Command Injection in WINS Server Hook Script

Bug 15903 (CVE-2025-10230) - CVE-2025-10230 [SECURITY] Command Injection in WINS Server Hook Script

Summary: CVE-2025-10230 [SECURITY] Command Injection in WINS Server Hook Script

Status:	RESOLVED FIXED

Alias:	CVE-2025-10230

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	15929
	Show dependency tree / graph

Reported:	2025-09-02 21:43 UTC by Douglas Bagnall
Modified:	2025-10-21 20:58 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
patch, applying the check as performed by source3 winsserver (1.11 KB, patch) 2025-09-03 02:24 UTC, Douglas Bagnall	gary: review+	Details
patch for master (10.99 KB, patch) 2025-09-11 00:55 UTC, Douglas Bagnall	no flags	Details
patch removing s4 wins hook from samba 4.next (13.23 KB, patch) 2025-09-11 00:56 UTC, Douglas Bagnall	no flags	Details
Patch for master v2 (10.68 KB, patch) 2025-09-11 03:18 UTC, Douglas Bagnall	gary: review+	Details
post CVE wins hook removal patch v2 (12.92 KB, patch) 2025-09-11 03:19 UTC, Douglas Bagnall	no flags	Details
advisory v1 (3.02 KB, text/plain) 2025-09-11 05:42 UTC, Douglas Bagnall	no flags	Details
patch for 4.23 (11.44 KB, patch) 2025-10-05 09:01 UTC, Douglas Bagnall	gary: review+	Details
patch for 4.22 (11.44 KB, patch) 2025-10-05 09:04 UTC, Douglas Bagnall	gary: review+	Details
patch for 4.21 (11.44 KB, patch) 2025-10-05 09:05 UTC, Douglas Bagnall	gary: review+	Details
advisory v2 (3.04 KB, text/plain) 2025-10-12 21:00 UTC, Douglas Bagnall	gary: review+	Details
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Douglas Bagnall 2025-09-02 21:43:48 UTC

A security researcher writes:

We believe that we have discovered a potential security vulnerability in the repository’s WINS server “wins hook” feature that can enable unauthenticated remote command execution with the privileges of the Samba process when the hook is configured.

Vulnerability Details
- Summary: Unsanitized NetBIOS name string from WINS registration packets are concatenated into a shell command and executed via sh -c. An attacker on the network can embed shell metacharacters to inject code.
- Relevant code (command construction and execution):
```c
// source4/nbt_server/wins/wins_hook.c
...
cmd = talloc_asprintf(tmp_mem,
                      "%s %s %s %02x %ld",
                      wins_hook_script,
                      wins_hook_action_string(action),
                      rec->name->name,
                      rec->name->type,
                      (long int) rec->expire_time);
...
execl("/bin/sh", "sh", "-c", cmd, NULL);
```
- Data flow (tainted sources → sink):
```c
// source4/nbt_server/wins/winsserver.c
rec.name        = name;             // from network packet
...
return winsdb_add(winssrv->wins_db, &rec, ...);

// source4/nbt_server/wins/winsdb.c
wins_hook(h, rec, WINS_HOOK_ADD, h->hook_script);
wins_hook(h, rec, WINS_HOOK_MODIFY, h->hook_script);
wins_hook(h, rec, WINS_HOOK_DELETE, h->hook_script);
```

- Limitations: NetBIOS names are subject to standard length limitations (typically 15 characters for the name portion). However, these limitations still allow space for command injection payloads using shell metacharacters.

Prerequisites for Exploitation
- Samba 4 deployment with WINS server functionality enabled
- A non-empty `wins hook` script configured in smb.conf (e.g., `wins hook = /path/to/script`)
- Network access to send WINS Name Registration requests to the target server (UDP port 137)
- The WINS service must be running and accepting registration requests

We’re glad to provide additional details or help test fixes. Thank you for your work maintaining Samba.

Comment 1 Douglas Bagnall 2025-09-03 02:24:29 UTC

Created attachment 18700 [details]
patch, applying the check as performed by source3 winsserver

Comment 2 Gary Lockyer 2025-09-03 02:47:32 UTC

Comment on attachment 18700 [details]
patch, applying the check as performed by source3 winsserver

That looks sane.

Comment 3 Douglas Bagnall 2025-09-04 23:55:20 UTC

(In reply to Gary Lockyer from comment #2)
> That looks sane.

I am also wondering about

a) removing the whole "wins hook" thing from source4, since the putative reason seems to be replication, but we have the wrepl server for that.

b) ALSO putting a sanity check earlier, so we do less processing altogether for bad names. The rules (https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/naming-conventions-for-computer-domain-site-ou#netbios-computer-names) aren't strict enough for shell in any case.

I guess we can't remove the `sh -c` wrapper and just execlp the thing we're running, because that would break "wins hook = wins-hook-script --args".

Comment 4 Douglas Bagnall 2025-09-05 03:06:09 UTC

I can't get a discount on CVSS 10.0.

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 

That's supposing we regard the 15 character payload limit as "interesting challenge" rather than "almost insurmountable hurdle", which would mean 9.0 (AC:H).

Comment 5 Volker Lendecke 2025-09-05 06:46:50 UTC

(In reply to Douglas Bagnall from comment #3)
> a) removing the whole "wins hook" thing from source4, since the putative
> reason seems to be replication, but we have the wrepl server for that.

My 2ct: Remove it.

Comment 7 Rowland Penny 2025-09-10 09:10:29 UTC

(In reply to Douglas Bagnall from comment #6)
I am with Volker on this, the best way to fix this is to remove it. An open bug from 12 years ago with one participant is no reason not to delete it, surely the person who reported the bug would have said something by now if a) they were still using 'wins hook' and b) it still didn't work.

Microsoft doesn't want anyone to use WINS:

https://learn.microsoft.com/en-us/windows-server/networking/technologies/wins/wins-top

Comment 8 Douglas Bagnall 2025-09-10 22:56:16 UTC

> and b) it still didn't work.

The problem is it does work. We don't know if anyone uses it, but the fix is simple, works, and matches what we already claim to do in `man smb.conf`.

We should do things in this order:

1. backport the fix.
2. remove source4 wins hook from master/4.next.

patches imminent.

Comment 9 Douglas Bagnall 2025-09-11 00:55:35 UTC

Created attachment 18716 [details]
patch for master

This is the patch with tests.

Comment 10 Douglas Bagnall 2025-09-11 00:56:22 UTC

Created attachment 18717 [details]
patch removing s4 wins hook from samba 4.next

Comment 11 Douglas Bagnall 2025-09-11 01:00:17 UTC

(In reply to Douglas Bagnall from comment #0)

> A security researcher writes:

Igor Morgenstern of Aisle Research, for the record.

Comment 12 Douglas Bagnall 2025-09-11 03:18:12 UTC

Created attachment 18718 [details]
Patch for master v2

Version 2 patch moves the (temporary) selftest/target/Samba4.pm config change into a more quiescent region, which means the patch will apply as-is at least as far as 4.15.

And there are some whitespace changes, not fixing trailing whitespace in the wins.c tests.

Comment 13 Douglas Bagnall 2025-09-11 03:19:15 UTC

Created attachment 18719 [details]
post CVE wins hook removal patch v2

Comment 14 Douglas Bagnall 2025-09-11 05:42:53 UTC

Created attachment 18720 [details]
advisory v1

Comment 15 Douglas Bagnall 2025-09-18 00:32:13 UTC

This was independently discovered and reported by Marcos Tolosa, today (added to CC).

He first reported it to cve.request@mitre.org, who allocated CVE-2025-59520.

We will continue to use CVE-2025-10230.

Comment 16 Douglas Bagnall 2025-10-05 09:01:29 UTC

Created attachment 18742 [details]
patch for 4.23

Comment 17 Douglas Bagnall 2025-10-05 09:04:29 UTC

Created attachment 18743 [details]
patch for 4.22

Comment 18 Douglas Bagnall 2025-10-05 09:05:47 UTC

Created attachment 18744 [details]
patch for 4.21

Comment 19 Douglas Bagnall 2025-10-12 21:00:33 UTC

Created attachment 18752 [details]
advisory v2

Comment 20 Samba QA Contact 2025-10-15 12:18:53 UTC

This bug was referenced in samba v4-21-stable (Release samba-4.21.9):

3db699b8e653db0d68bbe07869b8e2c5475481b9
e8639734faa5798bbaf5f7222f25edc071565d99

Comment 21 Samba QA Contact 2025-10-15 12:19:29 UTC

This bug was referenced in samba v4-22-stable (Release samba-4.22.5):

af58459f9519a9b03ada8ec6a3d85331e1a94a7a
540197b92d096b3fdfc66c5103e1a691866d7a6d

Comment 22 Samba QA Contact 2025-10-15 12:20:56 UTC

This bug was referenced in samba v4-23-stable (Release samba-4.23.2):

8a92384c09dbb17023d420e0c8ae806e9753bc09
0d8929e15443571ec102485319635313e8e80740

Comment 23 Jule Anger 2025-10-15 12:29:38 UTC

Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.

Comment 24 Samba QA Contact 2025-10-15 13:16:44 UTC

This bug was referenced in samba v4-23-test:

8a92384c09dbb17023d420e0c8ae806e9753bc09
0d8929e15443571ec102485319635313e8e80740

Comment 25 Samba QA Contact 2025-10-15 13:17:26 UTC

This bug was referenced in samba v4-22-test:

af58459f9519a9b03ada8ec6a3d85331e1a94a7a
540197b92d096b3fdfc66c5103e1a691866d7a6d

Comment 26 Samba QA Contact 2025-10-15 13:21:14 UTC

This bug was referenced in samba v4-21-test:

3db699b8e653db0d68bbe07869b8e2c5475481b9
e8639734faa5798bbaf5f7222f25edc071565d99

Comment 27 Samba QA Contact 2025-10-21 19:44:02 UTC

This bug was referenced in samba master:

90b01ac9029169f0a185e74233a71b19a1b4acf0
f25e8ccf0d17fac19f6059ab91534485c8a3ad5a