SMBGhost aka CVE-2020-0796

Updated: Sep 26, 2021

On the 10 March, 2020, while Covid19 is the main discussion point at this time people may have not noticed CVE-2020–0796 aka SMBGhost being reported online. The Remote code execution vulnerability exists in the Server Message Block 3.1.1 (SMBv3) protocol.


The media dubbed SMBGhost is a vulnerability that exists within the Microsoft Server Message Block 3.0 (SMBv3), affecting malformed compression headers.


Compression headers are a feature that were added to SMBv3 to negotiate context request packets back in May 2019.


This has created a vulnerability with worming capabilities, as to say it requires no human interaction and can move to vulnerable system to vulnerable system with ease.

Exploitation


To exploit this vulnerability, an attacker needs to craft a SMBv3 packet that contains the malformed compression header to a vulnerable SMBv3 Server.


To exploit SMBv3 clients, the attacker would require enticing a user to connect to a compromised SMBv3 server controlled by the attacker. Successful exploitation could result to remote code execution.


At the time of release, Microsoft confirmed that they had not yet seen the vulnerability exploited in the wild.

The vulnerability affects the following:

  • Windows 10 Version 1903 for 32-bit Systems

  • Windows 10 Version 1903 for ARM64-based Systems

  • Windows 10 Version 1903 for x64-based Systems

  • Windows 10 Version 1909 for 32-bit Systems

  • Windows 10 Version 1909 for ARM64-based Systems

  • Windows 10 Version 1909 for x64-based Systems

  • Windows Server, version 1903 (Server Core installation)

  • Windows Server, version 1909 (Server Core installation)

Older versions of Windows do not support SMBv3.1.1 compression so are not affected.


What is SMB?


SMB is a protocol that provides a rich set of features such as file sharing, network browsing and printing services over a network, however is has been plagued by years of vulnerabilities and exploits, the most famous of these are the MS08-067 exploit as well as MS17_010 or dubbed EternalBlue. Both of which caused industry wide rush to patch systems and mitigate the risk of system compromise.


What’s SMBGhost’s impact?


Windows machines running SMBv3 successfully compromised can be targeted remotely, without the need of credentials (unauthenticated attack), this attack would lead to the execution of arbitrary code with SYSTEM privileges (Administrator) on a vulnerable system.


Researchers from the cyber security firm Kryptos Logic have found roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the vulnerability CVE-2020-0796. “The SMB bug appears trivial to identify, even without the presence of a patch to analyze”.

Remediation


Microsoft have multiple scripts available to test if your systems are vulnerable. Most the scripts are focusing on checking if you’re running the a vulnerable version and might not be that effective. It is imperative that a good patch management programme is in place and all systems are upgraded in good time.


References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796


https://medium.com/@muchilwa/smbghost-cve-2020-0796-akacoranablue-summary-4c6746d6efe1


https://vulcan.io/blog/what-is-smbghost-vulnerability-and-how-to-fix-it/


https://cybersophia.net/vulnerability/smbghost-vulnerability-cve-2020-0796/


3 views0 comments

Recent Posts

See All

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. Running Shell Code in C# Over the last few weeks, we have been building payloads an

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. Running Shell Code in C# Using lessons learnt from the last few weeks from both VBA

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. When looking at exploiting operating systems and conducting client-side attacks it