© All rights reserved. Cyber Struggle 2022
Cyber Struggle
  • Company
    • About Us
    • CS Internals
    • CS Manifesto
    • Open Letter for Ranger Grads
    • Careers
    • Press and Media
    • GDPR Notification
    • Contact Us
  • Products
    • S-46 Platform
  • Certifications
    • Ranger Certification
      • Ranger Certification Details
      • Ranger Testimonials
    • Aegis Certification
      • Aegis Certification
      • Aegis Testimonials
    • Contemprorary Certifications
      • Cyber Struggle Tactical Pistol Operator
  • For Corporates
  • Resources
    • Articles
    • Threat Reports
    • Tools
    • Announcements
  • Community
    • Community Programs
      • Ribbon Program
    • Delta Group
0
Cyber Struggle
Home / Blog / Articles / Microsoft SMBv3 Remote Code Execution Vulnerability Overview CVE-2020-0796

Microsoft SMBv3 Remote Code Execution Vulnerability Overview CVE-2020-0796

By cyberstruggle inArticles, Delta Group

Vulnerability description

This morning, Microsoft released patches for CVE-2020-0796 SMBv3 RCE Microsoft’s advisory said a crafted SMBv3 packet could be used to achieve remote code execution on a vulnerable SMB Endpoint with a large scope of windows versions:

  • Windows 10 v1903
  • Windows 10 v1909
  • Windows Server v1903
  • Windows Server v1909

The vulnerability does not affect Windows 7, 8, 8.1, or older versions.

Vulnerability Exploitation

An integer overflow occurs when attacker send a crafted packet to the vulnerable SMB server, and this could lead to code execution on the context of “NT AUTHORITY\System” on the other hand it’s a kernel pool overflow in a modern operating system so we’re talking about KALSR and other mitigations which’s that not much easy to see a new wannacry in the wild, but BSOD is so easy to achieve

The root–cause 

As mentioned in Microsoft’s advisory, the vulnerability exists in SMB packet compression; we started to diff srv2.sys which is the (SMBv2/3 server driver) we quickly highlighted “Srv2DecompressData” function which was quite interesting since the patch is just around this function

Srv2DecompressData

By checking MS-SMB2 documentation about packet compression and debugging srv2.sys it takes some time to figure out how Srv2DecompressData works and as we see from the image below it allocates a buffer, and decompress the payload

Srv2DecompressData

checking the patched function will quickly spot some checks before allocating the buffer, however, after analyzing the function, we figure out that we got user-controlled inputs without any validation methods

COMPRESSION_TRANSFORM_HEADER used when the server or client exchanging SMB Messages, as mentioned in the documentation this header only valid in SMB 3.1.1 also ” Windows 10 v1809 and prior and Windows Server v1809 and prior do not send or process SMB2 COMPRESSION_TRANSFORM_HEADER. ” which mean Windows 10 v1809 and prior and Windows Server v1809 are not affected, and that explains why there is no patch for v1809, and of course the COMPRESSION_TRANSFORM_HEADER getting processed inside Srv2DecompressData leaving OriginalCompressedSegmentSize and OffsetOrLength under attacker control

COMPRESSION_TRANSFORM_HEADER

BSOD

a crafted SMB packet with a bad “Compressed Data Length” of the COMPRESSION_TRANSFORM_HEADER packet will trigger the bug and cause a BSOD

Recommendation

Disabling SMBv3 compression will prevent the exploitation of the bug and this can be done by the following command

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

We also wrote a detection script (NSE) for NMAP. You use script from our GitHub repo! https://github.com/cyberstruggle/DeltaGroup

CVE-2020-0796Remote Code Executionsmbv3
32 Posts
cyberstruggle
  • Microsoft ATA Evasion (Over PTH, Golden Ticket)
    Previous PostMicrosoft ATA Evasion (Over PTH, Golden Ticket)
  • Next PostCredential Dumping Tool: Chalumeau
    Microsoft ATA Evasion (Over PTH, Golden Ticket)

Related Posts

COM Hijacking for Persistence
Articles Delta Group

COM Hijacking for Persistence

Ratelimit Bypass Tool: Whitepass
Announcements Articles Delta Group

Ratelimit Bypass Tool: Whitepass

Credential Dumping Tool: Chalumeau
Announcements Articles Delta Group

Credential Dumping Tool: Chalumeau

Microsoft ATA Evasion (Over PTH, Golden Ticket)
Articles Delta Group

Microsoft ATA Evasion (Over PTH, Golden Ticket)

Certifications

About
CS Manifesto
Letter to Ranger Grads
Contact Us

About Company

Cyber Struggle Ranger
Cyber Struggle Aegis
Cyber Struggle TPO

For Corporates

Cyber Range Platform
SOC Maturity Certification
In-House SOC Mngmt
Outsource SOC Mngmt
Head Hunting Partnership

Subscribe to newsletter

cs_logo_son

© 2023 Cyber Struggle

in
F.A.Q
Support Forum
Video Tutorials

Search panel can contain any widgets and shortcodes.

Call us: 0 800 255 22 55
Copy