Vulnerability description
This morning, Microsoft released patches for CVE-2020-0796 SMBv3 RCE Microsoft’s advisory said a crafted SMBv3 packet could be used to achieve remote code execution on a vulnerable SMB Endpoint with a large scope of windows versions:
- Windows 10 v1903
- Windows 10 v1909
- Windows Server v1903
- Windows Server v1909
The vulnerability does not affect Windows 7, 8, 8.1, or older versions.
Vulnerability Exploitation
An integer overflow occurs when attacker send a crafted packet to the vulnerable SMB server, and this could lead to code execution on the context of “NT AUTHORITY\System” on the other hand it’s a kernel pool overflow in a modern operating system so we’re talking about KALSR and other mitigations which’s that not much easy to see a new wannacry in the wild, but BSOD is so easy to achieve
The root–cause
As mentioned in Microsoft’s advisory, the vulnerability exists in SMB packet compression; we started to diff srv2.sys which is the (SMBv2/3 server driver) we quickly highlighted “Srv2DecompressData” function which was quite interesting since the patch is just around this function
By checking MS-SMB2 documentation about packet compression and debugging srv2.sys it takes some time to figure out how Srv2DecompressData works and as we see from the image below it allocates a buffer, and decompress the payload
checking the patched function will quickly spot some checks before allocating the buffer, however, after analyzing the function, we figure out that we got user-controlled inputs without any validation methods
COMPRESSION_TRANSFORM_HEADER used when the server or client exchanging SMB Messages, as mentioned in the documentation this header only valid in SMB 3.1.1 also ” Windows 10 v1809 and prior and Windows Server v1809 and prior do not send or process SMB2 COMPRESSION_TRANSFORM_HEADER. ” which mean Windows 10 v1809 and prior and Windows Server v1809 are not affected, and that explains why there is no patch for v1809, and of course the COMPRESSION_TRANSFORM_HEADER getting processed inside Srv2DecompressData leaving OriginalCompressedSegmentSize and OffsetOrLength under attacker control
BSOD
a crafted SMB packet with a bad “Compressed Data Length” of the COMPRESSION_TRANSFORM_HEADER packet will trigger the bug and cause a BSOD
Recommendation
Disabling SMBv3 compression will prevent the exploitation of the bug and this can be done by the following command
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
We also wrote a detection script (NSE) for NMAP. You use script from our GitHub repo! https://github.com/cyberstruggle/DeltaGroup
