[Bug 1514046] Re: Shell command injection - samba-tool domain classicupgrade

Seth Arnold 1514046 at bugs.launchpad.net
Wed Jan 6 00:37:05 UTC 2016 

Thanks for finding and reporting this issue; I'm inclined to agree with
upstream that this isn't crossing a security boundary, even though it is
relatively unpleasant.

Thanks

** Changed in: samba (Ubuntu)
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1514046

Title:
  Shell command injection - samba-tool domain classicupgrade

Status in samba package in Ubuntu:
  Won't Fix

Bug description:
  Attached screenshot

  This python script allows the shell code injection :

  /usr/lib/python2.7/dist-packages/samba/netcmd/domain.py

  This function uses os.popen() wich injects the command in testparm,
  varname and the path to the smbconf :

  def get_testparm_var(testparm, smbconf, varname):
      cmd = "%s -s -l --parameter-name='%s' %s 2>/dev/null" % (testparm, varname, smbconf)
      output = os.popen(cmd, 'r').readline()
      return output.strip()

  
  --> So please use subprocess.Popen() , not os.popen()


  Demo Exploit :
  =============

  1) Put a shell command in the folder name , e.g.  ";xeyes;#"

  /home/theregrunner/;xeyes;#/smb.conf

  <theregrunner is my user name, you change this to your user name>

  
  2) start samba tool like this :

  sudo samba-tool domain classicupgrade
  '/home/theregrunner/;xeyes;#/smb.conf' --testparm /usr/bin/testparm

  3) Now the xeyes program runs as root

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: samba-common-bin 2:4.1.17+dfsg-4ubuntu2
  ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3
  Uname: Linux 4.2.0-17-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.19.1-0ubuntu4
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Sat Nov  7 09:01:35 2015
  InstallationDate: Installed on 2015-10-22 (15 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
  SambaServerRegression: No
  SmbConfIncluded: No
  SourcePackage: samba
  UpgradeStatus: No upgrade log present (probably fresh install)
  WindowsFailedConnect: Yes

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1514046/+subscriptions

More information about the foundations-bugs mailing list