OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
  • Task Type Bug Report
  • Category Packages
  • Assigned To No-one
  • Operating System All
  • Severity High
  • Priority Very Low
  • Reported Version All
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Luca Piccirillo - 19.06.2019

FS#2330 - Samba - smb.conf templating allows arbitrary injections of samba configurations

First, I have to say I’m not 100% sure it is something to be addressed within samba package itself, so forgive me if this is something you have already evaluated as not being an issue.

In short, something like that works:

    option workgroup 'WORKGROUP\
    security = share\
    guest account = root\
    interfaces = lo br-lan\

I’m not sure this works in plain openwrt images, but there exists a widely deployed commercial fork of openwrt which is definitely vulnerable to some exploit chain involving this one in the middle.
You could argue that the right of modifying uci config already gives an equivalent authorization level, or this should have been sanitized at user interface. So, is this something you consider safe?

telia commented on 17.08.2020 08:03

Real world privilege escalation exploit for Technicolor routers, based on OpenWrt Chaos Calmer 15.05.1

telia commented on 17.08.2020 08:08

Vulnerable code is:;a=blob;f=package/network/services/samba36/files/samba.init;h=1c5bb3b3c43eacc6ee3a181a16b63c906365b81b;hb=refs/heads/openwrt-18.06#l32

32         sed -e "s#|NAME|#$name#g" \
33             -e "s#|WORKGROUP|#$workgroup#g" \
34             -e "s#|DESCRIPTION|#$description#g" \
35             -e "s#|INTERFACES|#$interfaces#g" \
36             -e "s#|CHARSET|#$charset#g" \
37             /etc/samba/smb.conf.template > /var/etc/smb.conf

Any variables passed into sed like $name, $workgroup and others must be sanitized and all control symbols such "#" replaced or properly escaped


Available keyboard shortcuts


Task Details

Task Editing