Listen to this Post
A flaw was found in Samba. The vulnerability exists due to a command injection in the Samba DCE/RPC SAMR server when it invokes a “check password script” that uses the `%u` substitution character. Samba file servers and classic (non-AD) domain controllers offer the `SamValidatePasswordChange` and `SamValidatePasswordReset` RPC services on the SAMR DCE/RPC service over NCACN_IP_TCP. Both services pass a username and password to the “check password script” configured in smb.conf. If the script is configured with %u, the client-controlled username is passed to the script without proper escaping of shell meta-characters. A remote attacker can send a crafted username containing malicious shell metacharacters, which is then executed by the script with the privileges of the `samba-dcerpcd` service (typically root). This issue primarily affects non-standard configurations where the “check password script” is used with `%u` and the `samba-dcerpcd` service is started as a system service. The vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command. The CVSS 3.1 vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. Exploitation does not require authentication, but the attack complexity is considered high due to the prerequisite of a non-standard configuration. The vulnerability was reported to Red Hat on 2026-05-19 and made public on 2026-05-26.
DailyCVE Form:
Platform: Samba
Version: 4.22.0-4.24.2
Vulnerability : RCE via Injection
Severity: Critical (CVSS 10)
date: 2026-05-28
Prediction: 2026-05-26
What Undercode Say:
Check if samba-dcerpcd runs as system service systemctl status samba-dcerpcd Check smb.conf for vulnerable configuration testparm -v | grep "check password script" Affected version ranges (from Mend.io): <blockquote> =4.23.0 <4.23.8 =4.24.0 <4.24.3 =4.22.0 <4.22.10
Exploit simulation (educational) Attacker sets username with shell command Example: username = "admin; id > /tmp/exploit;" The command "id" would be executed via %u injection.
Exploit:
An unauthenticated attacker can exploit the vulnerability by sending a crafted RPC request to the SAMR service. The attacker sets the username field to include shell metacharacters (e.g., "; id > /tmp/hacked"). Since the `%u` substitution is not escaped, the script executes the injected command. No public exploit code is available, but the exploit price is estimated at USD $0-$5,000.
Protection:
- Patch immediately: Update to Samba versions 4.22.10, 4.23.8, or 4.24.3.
- Workaround: Remove the `%u` substitution character from the “check password script” in `smb.conf` if not absolutely needed.
- Mitigation: Ensure `samba-dcerpcd` does not run as a system service or restrict network access to the SAMR RPC service.
Impact:
Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary OS commands on the Samba server, typically with `root` privileges. This can lead to full server takeover, data theft, ransomware deployment, and lateral movement within the network.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
