Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2330 - Samba - smb.conf templating allows arbitrary injections of samba configurations #7192

Open
openwrt-bot opened this issue Jun 19, 2019 · 2 comments
Labels
core packages pull request/issue for core (in-tree) packages flyspray

Comments

@openwrt-bot
Copy link

LuKePicci:

First, I have to say I'm not 100% sure it is something to be addressed within samba package itself, so forgive me if this is something you have already evaluated as not being an issue.

In short, something like that works:

[…]
option workgroup 'WORKGROUP
security = share
guest account = root
interfaces = lo br-lan

[ohnonotagain]'

I'm not sure this works in plain openwrt images, but there exists a widely deployed commercial fork of openwrt which is definitely vulnerable to some exploit chain involving this one in the middle.
You could argue that the right of modifying uci config already gives an equivalent authorization level, or this should have been sanitized at user interface. So, is this something you consider safe?

@openwrt-bot
Copy link
Author

telia:

Real world privilege escalation exploit for Technicolor routers, based on OpenWrt Chaos Calmer 15.05.1

https://github.com/full-disclosure/FDEU-CVE-2020-1FC5

@openwrt-bot
Copy link
Author

telia:

Vulnerable code is:

https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/services/samba36/files/samba.init;h=1c5bb3b3c43eacc6ee3a181a16b63c906365b81b;hb=refs/heads/openwrt-18.06#l32

32 sed -e "s#|NAME|#$name#g"
33 -e "s#|WORKGROUP|#$workgroup#g"
34 -e "s#|DESCRIPTION|#$description#g"
35 -e "s#|INTERFACES|#$interfaces#g"
36 -e "s#|CHARSET|#$charset#g"
37 /etc/samba/smb.conf.template > /var/etc/smb.conf

Any variables passed into sed like $name, $workgroup and others must be sanitized and all control symbols such "#" replaced or properly escaped

@aparcar aparcar added the core packages pull request/issue for core (in-tree) packages label Feb 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core packages pull request/issue for core (in-tree) packages flyspray
Projects
None yet
Development

No branches or pull requests

2 participants