© All rights reserved.
Cyber Struggle Cyber Struggle
  • Home
  • Company
    • About Us
    • CS Manifesto
    • Open Letter for Ranger Grads
    • Careers
    • Press and Media
    • Contact Us
    • GDPR Notification
  • Products
    • Simulation Core
  • Courses
    • Ranger Certification
      • Ranger Certification
      • Ranger Grad Feedbacks
    • Aegis Certification (New)
      • Aegis Certification
      • Aegis Grad Feedbacks
    • Contemporary Certifications
      • Cyber Struggle Tactical Pistol Operator
  • For Corporates
  • Resources
    • Articles
    • Threat Reports
    • Tools
    • Announcements
  • Community
    • Community Programs
      • Ribbon Program
    • Delta Group
0
Cyber Struggle

Microsoft SMBv3 Remote Code Execution Vulnerability Overview CVE-2020-0796

By CS Delta inArticles, Delta Group

Vulnerability description

This morning, Microsoft released patches for CVE-2020-0796 SMBv3 RCE Microsoft’s advisory said a crafted SMBv3 packet could be used to achieve remote code execution on a vulnerable SMB Endpoint with a large scope of windows versions:

  • Windows 10 v1903
  • Windows 10 v1909
  • Windows Server v1903
  • Windows Server v1909

The vulnerability does not affect Windows 7, 8, 8.1, or older versions.

Vulnerability Exploitation

An integer overflow occurs when attacker send a crafted packet to the vulnerable SMB server, and this could lead to code execution on the context of “NT AUTHORITY\System” on the other hand it’s a kernel pool overflow in a modern operating system so we’re talking about KALSR and other mitigations which’s that not much easy to see a new wannacry in the wild, but BSOD is so easy to achieve

The root–cause 

As mentioned in Microsoft’s advisory, the vulnerability exists in SMB packet compression; we started to diff srv2.sys which is the (SMBv2/3 server driver) we quickly highlighted “Srv2DecompressData” function which was quite interesting since the patch is just around this function

Srv2DecompressData

By checking MS-SMB2 documentation about packet compression and debugging srv2.sys it takes some time to figure out how Srv2DecompressData works and as we see from the image below it allocates a buffer, and decompress the payload

Srv2DecompressData

checking the patched function will quickly spot some checks before allocating the buffer, however, after analyzing the function, we figure out that we got user-controlled inputs without any validation methods

COMPRESSION_TRANSFORM_HEADER used when the server or client exchanging SMB Messages, as mentioned in the documentation this header only valid in SMB 3.1.1 also ” Windows 10 v1809 and prior and Windows Server v1809 and prior do not send or process SMB2 COMPRESSION_TRANSFORM_HEADER. ” which mean Windows 10 v1809 and prior and Windows Server v1809 are not affected, and that explains why there is no patch for v1809, and of course the COMPRESSION_TRANSFORM_HEADER getting processed inside Srv2DecompressData leaving OriginalCompressedSegmentSize and OffsetOrLength under attacker control

COMPRESSION_TRANSFORM_HEADER

BSOD

a crafted SMB packet with a bad “Compressed Data Length” of the COMPRESSION_TRANSFORM_HEADER packet will trigger the bug and cause a BSOD

Recommendation

Disabling SMBv3 compression will prevent the exploitation of the bug and this can be done by the following command

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

We also wrote a detection script (NSE) for NMAP. You use script from our GitHub repo! https://github.com/cyberstruggle/DeltaGroup

CVE-2020-0796Remote Code Executionsmbv3
  • Intelligence Planning
    Previous PostIntelligence Planning
  • Next PostMicrosoft ATA Evasion (Over PTH, Golden Ticket)
    Intelligence Planning

Related Posts

Ratelimit Bypass Tool: Whitepass
Announcements Articles Delta Group

Ratelimit Bypass Tool: Whitepass

Credential Dumping Tool: Chalumeau
Announcements Articles Delta Group

Credential Dumping Tool: Chalumeau

Microsoft ATA Evasion (Over PTH, Golden Ticket)
Articles Delta Group

Microsoft ATA Evasion (Over PTH, Golden Ticket)

Intelligence Planning
Articles Delta Group

Intelligence Planning

Leave a Reply (Cancel reply)

Your email address will not be published. Required fields are marked *

*
*

3 × 4 =

image
F.A.Q
Support Forum
Video Tutorials

Search panel can contain any widgets and shortcodes.

Call us: 0 800 255 22 55
Copy