Samba - smb.conf templating allows arbitrary injections of samba configurations
Username: Luca Piccirillo
Origin: https://bugs.openwrt.org/index.php?do=details&task_id=2330
First, I have to say I’m not 100% sure it is something to be addressed within samba package itself, so forgive me if this is something you have already evaluated as not being an issue.
In short, something like that works:
[…]
option workgroup 'WORKGROUP
security = share
guest account = root
interfaces = lo br-lan
[ohnonotagain]'
I’m not sure this works in plain openwrt images, but there exists a widely deployed commercial fork of openwrt which is definitely vulnerable to some exploit chain involving this one in the middle.
You could argue that the right of modifying uci config already gives an equivalent authorization level, or this should have been sanitized at user interface. So, is this something you consider safe?