Samba Remote Code Execution Vulnerability via Unescaped Username in 'check password script'

A remote code execution vulnerability has been identified in Samba file servers and classic (non-Active Directory) domain controllers. This issue arises when the 'check password script' feature is used with the %u substitution character, allowing client-controlled usernames to be passed without proper escaping of shell meta-characters. The vulnerability is particularly concerning in non-standard configurations where the 'check password script' is applied with %u and the samba-dcerpcd service is run as a system service. Active Directory Domain Controllers are not affected.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system.

Reproduction

To reproduce this vulnerability, configure the 'check password script' in smb.conf to use the %u substitution character. Ensure that the samba-dcerpcd service is started as a system service, which can be done by setting 'rpc start on demand helpers' to 'no'. This will make the vulnerable code accessible when the SamValidatePasswordChange or SamValidatePasswordReset RPC services are called over NCACN_IP_TCP'.

Remediation

Users can update to Samba versions 4.1 and newer, where this vulnerability has been fixed.