Ubuntu
samba package

Shell command injection - samba-tool domain classicupgrade

Bug #1514046 reported by Bernd Dietzel on 2015-11-07

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	samba (Ubuntu)	Won't Fix	Undecided	Unassigned

Bug Description

Attached screenshot

This python script allows the shell code injection :

/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py

This function uses os.popen() wich injects the command in testparm, varname and the path to the smbconf :

def get_testparm_var(testparm, smbconf, varname):
    cmd = "%s -s -l --parameter-name='%s' %s 2>/dev/null" % (testparm, varname, smbconf)
    output = os.popen(cmd, 'r').readline()
    return output.strip()

--> So please use subprocess.Popen() , not os.popen()

Demo Exploit :
=============

1) Put a shell command in the folder name , e.g. ";xeyes;#"

/home/theregrunner/;xeyes;#/smb.conf

<theregrunner is my user name, you change this to your user name>

2) start samba tool like this :

sudo samba-tool domain classicupgrade '/home/theregrunner/;xeyes;#/smb.conf' --testparm /usr/bin/testparm

3) Now the xeyes program runs as root

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: samba-common-bin 2:4.1.17+dfsg-4ubuntu2
ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3
Uname: Linux 4.2.0-17-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Nov 7 09:01:35 2015
InstallationDate: Installed on 2015-10-22 (15 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SambaServerRegression: No
SmbConfIncluded: No
SourcePackage: samba
UpgradeStatus: No upgrade log present (probably fresh install)
WindowsFailedConnect: Yes

Tags:

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-11-07:

#1

#### Expoit Screenshot #### .png Edit (424.0 KiB, image/png)
Dependencies.txt Edit (3.2 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (112 bytes, text/plain; charset="utf-8")
SambaInstalledVersions.txt Edit (305 bytes, text/plain; charset="utf-8")

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2015-11-12:

#2

Hi Bernd - Thanks for reporting this to us!

I don't feel like there's much of a chance that an attacker could control the path to the smb.conf file. This feels like a normal bug to me.

Have you reported this issue to upstream Samba? I think we'd prefer to wait for them to fix this upstream and for it to eventually make its way into Ubuntu rather than performing security updates to address this.

Changed in samba (Ubuntu):
status:	New → Incomplete

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-11-12:

#3

If the path is on a webdav share or a usb device ...
The name of the /media/ is also part of the path so simply a usb stick name could inject a command.
I think this should not happen.

No, i haven't reported upstream.

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-11-14:

#4

Reported to upstream :
https://bugzilla.samba.org/show_bug.cgi?id=11601

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-12-29:

#5

public in upstream
https://bugzilla.samba.org/show_bug.cgi?id=11601#c7

information type:

Private Security → Public Security

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2016-01-06:

#6

Thanks for finding and reporting this issue; I'm inclined to agree with upstream that this isn't crossing a security boundary, even though it is relatively unpleasant.

Thanks

Changed in samba (Ubuntu):
status:	Incomplete → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

samba-bugs #11601 Edit

Bug watches keep track of this bug in other bug trackers.