June 11, 2023

SMB 3.1.1 ghost .. It’s going to be an another Wannacry, Petya for sure if proper steps are not taken

On 03/12/20, Microsoft released an official advisory about a critical flaw in the SMB 3.1.1 protocol stack implementation. This vulnerability in the code is due to handling certain requests and response messages that could let an attacker perform Remote Code Execution in the context of the SYSTEM user. Exploiting the flaw requires a specially crafted SMB v3 “Compression Transform Header” Request or Response PDU. This flaw was assigned CVE-2020-0796 and is being labeled SMBGhost or CoronaBlue. CVE-2020-0796 affects a specific set of Windows 10 based devices with build versions 1903 and 1909. At this time we believe Windows 7 and prior are not impacted by this vulnerability.

To identify devices impacted security professionals can use the “winver” command-line utility. The screenshot below provides a breakdown of Windows 10 versions and their corresponding build IDs, highlighting the vulnerable versions.

At the time of writing this post, a query in Shodan identified over 35K potentially vulnerable and internet-accessible devices.

This bug is considered critical because it doesn’t require any authentication between the attacker and the victim. Additionally, this vulnerability could affect either the client or the server end of the communication.

Publicly available scanners and exploit code seems to focus on two goals:

1.Identifying targets (pre-crash phase) based on SMB protocol request and response behavior
2.Triggering the (integer) buffer overflow itself by sending malformed PDU

Technical Analysis

Identifying potential targets

This can be achieved by identifying whether the target host supports Data Compression. Based on the echoed back response data, it is possible to identify targets that are exploitable by this flaw, and those that are not. When an SMB server, receives a certain Negotiation request asking for its compression capabilities, it triggers a Negotiate Response Header, from the SMB server with the following information:

Triggering the Buffer Overflow and Crash
To trigger the crash on the target machine, the client must send an SMB2 Compression Transform Header PDU.

Impact and Mitigation

According to Microsoft, this flaw could lead to arbitrary remote code execution and could also be used by malware as a potential wormable component. We believe that wide exploitation is likely to occur fairly quickly. There are also some parallels with past attacks such as WannaCry (ShadowBroker), even though the exploitation techniques used in that case were different.

1. Disable SMB Compression in Registry

2. Cheeck your AV provider is capable of handle buffer overflows and prevent this exploit

3. Patch your machines with the specified updates

Leave a Reply

%d bloggers like this: