Summary

SMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered “wormable”. Microsoft did not release a patch in March 2020 Patch Tuesday. Update 3/12/2020: Microsoft released an out of band patch

Narrative

Microsoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: “CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.”

Microsoft then released an advisory with more information: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005
“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

CERT followed: https://www.kb.cert.org/vuls/id/872016/

Impact

This issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.

Affected Population

Impacted systems must run SMB v3.11. Compression is enabled by default.
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)

Identify Vulnerable Hosts

Method to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394

Workaround

Disable SMBv3 compression via registry as specified in ADV200005.
Server: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Client: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force

Update 3/12/2020

Microsoft released an out of band patch: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

A vulnerability exists in how SMB3 Compressed data is handled that can be leveraged to write data out of normal bounds. This vulnerability is triggered by sending a specially crafted COMPRESSION_TRANSFORM_HEADER as defined in subsections of MS-SMB2 2.2.42. The OriginalCompressedSegmentSize value triggers an integer overflow when it is set to a large value. This vulnerability could be triggered prior to authenticating to the server.

When details of this vulnerability were first made public, the vulnerability was unpatched. The official recommendation from Microsoft was to disable SMB3 compression as a temporary fix.

Due to modern mitigation technologies, exploiting this vulnerability remotely to obtain code execution is non-trivial. Public PoCs do exist which trigger the vulnerable code path, and one serves as an example of using this vulnerability in the context of a local privilege escalation technique.

This vulnerability exploits an integer overflow vulnerability that exists in SMBv3.1.1’s decompression algorithm which is within it’s kernel-mode driver (srv2.sys), srv2!Srv2DecompressData is the routine which is responsible for the decompression of compressed request packets. The successful exploitation of this vulnerability will allow an unprivileged user pre authenticated remote code execution which can grant a system level shell.

The impact that the exploitation of this vulnerability has is very high, due to this having the ability to be exploited remotely and the sense that it grants system level access in kernel mode. This vulnerability has also been deemed as wormable which makes it a priority for attackers to utilize.

Microsoft has released a patch for this, and everyone should take proper precautions when enabling compression within SMB.

Without Microsoft Officially publishing this one, it’s difficult to do much of any analysis. The description & early reports are that it’s a wormable buffer overflow in SMBv3 Compression, which from what I can find is on by default in SMBv3.

This appears to now be exploited in the wild: https://www.us-cert.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796

RCE PoC: https://github.com/chompie1337/SMBGhost_RCE_PoC

I wanted to note there’s a public DoS PoC here: https://github.com/eerykitty/CVE-2020-0796-PoC
Another one is here: https://gist.github.com/asolino/45095268f0893bcf08bca3ae68a755b2

Here’s the research on RCE as well, which confirms it was challenging to exploit! Hopefully everyone is patched by now: https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html

And another example using maybe a different infoleak (not many details there yet):
https://twitter.com/ZecOps/status/1252288104435761154

And, today with everyone Coronavirus sequestered, you’re unlikely to inflict any sort of at-scale exploitation if everyone’s at home on a host-isolated VPN and literally inaccessible from a mass networking PoV in an office. Hey, maybe working from home is good for security!