16094 – source4/dsdb/samdb/cracknames.c doesn't use ldb_binary_encode_string() consistently

Bug 16094 - source4/dsdb/samdb/cracknames.c doesn't use ldb_binary_encode_string() consistently

Summary: source4/dsdb/samdb/cracknames.c doesn't use ldb_binary_encode_string() consis...

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.24.3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Stefan Metzmacher
QA Contact:	Samba QA Contact

URL:	https://gitlab.com/samba-team/samba/-...
Keywords:

Depends on:
Blocks:

Reported:	2026-05-28 15:33 UTC by Stefan Metzmacher
Modified:	2026-05-28 15:37 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2026-05-28 15:33:17 UTC

A client provided value can be passed into a filter
without going through ldb_binary_encode_string()

But the value is only appended via a to "name=%s",
so there's no leading "(", which means 
in lib/ldb/common/ldb_parse.c:356: the value-parsing loop terminates
at the first unescaped ')', so a payload like "users)(hidden=*" collapses to
"(name=users)" with the trailing bytes silently discarded. An escaped "\)" makes
ldb_parse_tree() return NULL rather than admit injection. Combined with
LDB_SCOPE_ONELEVEL, the attribute list restricted to ["name"], and the fact that
a DRSUAPI-authenticated client can already issue arbitrary LDAP searches via
dcesrv_samdb_connect_as_user(), there is no escalation surface.

This was reported by Arjun Basnet with Securin Labs.