CVE-2025-10230: s4:wins: restrict names fed to shell

If the "wins hook" smb.conf parameter is set, the WINS server will
attempt to execute that value in a shell command line when a client
asks to modify a name. The WINS system is a trusting one, and clients
can claim any NETBIOS name they wish.

With the source3 nmbd WINS server (since the 1999 commit now called
3db52fe) the wins hook will not be
run for names that contain shell metacharacters. This restriction has
not been present on the source4 nbt WINS server, which is the WINS
server that will be used in the event that an Active Directory Domain
Controller is also running WINS.

This allowed an unauthenticated client to execute arbitrary commands
on the server.

This commit brings the nmbd check into the nbt WINS server, so that
the wins hook will only be run for names that contain only letters,
digits, hyphens, underscores and periods. This matches the behaviour
described in the smb.conf man page.

The source3 nmbd WINS server has another layer of protection, in that
it uses the smb_run() exec wrapper that tries to escape arguments. We
don't do that here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15903

Signed-off-by: Douglas Bagnall <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>

Autobuild-User(master): Douglas Bagnall <[email protected]>
Autobuild-Date(master): Tue Oct 21 19:43:25 UTC 2025 on atb-devel-224

Author: douglasbagnall

selftest/knownfail.d/samba4.nbt.wins.wins_bad_names

@@ -43,9 +43,18 @@ void wins_hook(struct winsdb_handle *h, const struct winsdb_record *rec,
 	int child;
 	char *cmd = NULL;
 	TALLOC_CTX *tmp_mem = NULL;
+	const char *p = NULL;
 
 	if (!wins_hook_script || !wins_hook_script[0]) return;
 
+	for (p = rec->name->name; *p; p++) {
+		if (!(isalnum((int)*p) || strchr_m("._-", *p))) {
+			DBG_ERR("not calling wins hook for invalid name %s\n",
+				rec->name->name);
+			return;
+		}
+	}
+
 	tmp_mem = talloc_new(h);
 	if (!tmp_mem) goto failed;