High
CVE-2020-0796 - SMBGhost
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-0796 - SMBGhost
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka ‘Windows SMBv3 Client/Server Remote Code Execution Vulnerability’.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery Low
Technical Analysis
Summary
SMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered “wormable”. Microsoft did not release a patch in March 2020 Patch Tuesday. Update 3/12/2020: Microsoft released an out of band patch
Narrative
Microsoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: “CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.”
Microsoft then released an advisory with more information: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005
“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
CERT followed: https://www.kb.cert.org/vuls/id/872016/
Impact
This issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.
Affected Population
Impacted systems must run SMB v3.11. Compression is enabled by default.
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Identify Vulnerable Hosts
Method to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394
Workaround
Disable SMBv3 compression via registry as specified in ADV200005.
Server: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Client: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force
Update 3/12/2020
Microsoft released an out of band patch: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueHigh
-
ExploitabilityLow
Technical Analysis
A vulnerability exists in how SMB3 Compressed data is handled that can be leveraged to write data out of normal bounds. This vulnerability is triggered by sending a specially crafted COMPRESSION_TRANSFORM_HEADER
as defined in subsections of MS-SMB2 2.2.42. The OriginalCompressedSegmentSize
value triggers an integer overflow when it is set to a large value. This vulnerability could be triggered prior to authenticating to the server.
When details of this vulnerability were first made public, the vulnerability was unpatched. The official recommendation from Microsoft was to disable SMB3 compression as a temporary fix.
Due to modern mitigation technologies, exploiting this vulnerability remotely to obtain code execution is non-trivial. Public PoCs do exist which trigger the vulnerable code path, and one serves as an example of using this vulnerability in the context of a local privilege escalation technique.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityLow
Technical Analysis
This vulnerability exploits an integer overflow vulnerability that exists in SMBv3.1.1’s decompression algorithm which is within it’s kernel-mode driver (srv2.sys), srv2!Srv2DecompressData is the routine which is responsible for the decompression of compressed request packets. The successful exploitation of this vulnerability will allow an unprivileged user pre authenticated remote code execution which can grant a system level shell.
The impact that the exploitation of this vulnerability has is very high, due to this having the ability to be exploited remotely and the sense that it grants system level access in kernel mode. This vulnerability has also been deemed as wormable which makes it a priority for attackers to utilize.
Microsoft has released a patch for this, and everyone should take proper precautions when enabling compression within SMB.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
Technical Analysis
Without Microsoft Officially publishing this one, it’s difficult to do much of any analysis. The description & early reports are that it’s a wormable buffer overflow in SMBv3 Compression, which from what I can find is on by default in SMBv3.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueLow
-
ExploitabilityVery Low
Technical Analysis
This appears to now be exploited in the wild: https://www.us-cert.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796
RCE PoC: https://github.com/chompie1337/SMBGhost_RCE_PoC
I wanted to note there’s a public DoS PoC here: https://github.com/eerykitty/CVE-2020-0796-PoC
Another one is here: https://gist.github.com/asolino/45095268f0893bcf08bca3ae68a755b2
Here’s the research on RCE as well, which confirms it was challenging to exploit! Hopefully everyone is patched by now: https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html
And another example using maybe a different infoleak (not many details there yet):
https://twitter.com/ZecOps/status/1252288104435761154
And, today with everyone Coronavirus sequestered, you’re unlikely to inflict any sort of at-scale exploitation if everyone’s at home on a host-isolated VPN and literally inaccessible from a mass networking PoV in an office. Hey, maybe working from home is good for security!
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 1903,
- windows 10 1909,
- windows server 2016 1903,
- windows server 2016 1909
Metasploit Modules
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- News Article or Blog (https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: