Microsoft SMBv3 Remote Code Execution Vulnerability Overview CVE-2020-0796

Microsoft SMBv3 Remote Code Execution Vulnerability Overview CVE-2020-0796

Vulnerability description

This morning, Microsoft released patches for CVE-2020-0796 SMBv3 RCE Microsoft’s advisory said a crafted SMBv3 packet could be used to achieve remote code execution on a vulnerable SMB Endpoint with a large scope of windows versions:

  • Windows 10 v1903
  • Windows 10 v1909
  • Windows Server v1903
  • Windows Server v1909

The vulnerability does not affect Windows 7, 8, 8.1, or older versions.

Vulnerability Exploitation

An integer overflow occurs when attacker send a crafted packet to the vulnerable SMB server, and this could lead to code execution on the context of “NT AUTHORITYSystem” on the other hand it’s a kernel pool overflow in a modern operating system so we’re talking about KALSR and other mitigations which’s that not much easy to see a new wannacry in the wild, but BSOD is so easy to achieve

The rootcause 

As mentioned in Microsoft’s advisory, the vulnerability exists in SMB packet compression; we started to diff srv2.sys which is the (SMBv2/3 server driver) we quickly highlighted “Srv2DecompressData” function which was quite interesting since the patch is just around this function

By checking MS-SMB2 documentation about packet compression and debugging srv2.sys it takes some time to figure out how Srv2DecompressData works and as we see from the image below it allocates a buffer, and decompress the payload

 

checking the patched function will quickly spot some checks before allocating the buffer, however, after analyzing the function, we figure out that we got user-controlled inputs without any validation methods

COMPRESSION_TRANSFORM_HEADER used when the server or client exchanging SMB Messages, as mentioned in the documentation this header only valid in SMB 3.1.1 also ” Windows 10 v1809 and prior and Windows Server v1809 and prior do not send or process SMB2 COMPRESSION_TRANSFORM_HEADER. ” which mean Windows 10 v1809 and prior and Windows Server v1809 are not affected, and that explains why there is no patch for v1809, and of course the COMPRESSION_TRANSFORM_HEADER getting processed inside Srv2DecompressData leaving OriginalCompressedSegmentSize and OffsetOrLength under attacker control

COMPRESSION_TRANSFORM_HEADER

 

BSOD

a crafted SMB packet with a bad “Compressed Data Length” of the COMPRESSION_TRANSFORM_HEADER packet will trigger the bug and cause a BSOD

Recommendation

Disabling SMBv3 compression will prevent the exploitation of the bug and this can be done by the following command

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" DisableCompression -Type DWORD -Value 1 -Force

We also wrote a detection script (NSE) for NMAP. You use script from our GitHub repo! https://github.com/cyberstruggle/DeltaGroup