肥皂的小屋

0x01 Introduction#

SMB (Server Message Block) is a protocol that can be used for web connections and communication between clients and servers.

0x02 Vulnerability Overview#

Vulnerability Name: Microsoft SMBv3 Client/Server Remote Code Execution Vulnerability CVE-2020-0796

Threat Level: High

Vulnerability Type: Remote Code Execution

This vulnerability is caused by an error in the SMBv3 protocol when processing malicious compressed packets, allowing remote and unauthenticated attackers to execute arbitrary code on the target system. This vulnerability is similar to EternalBlue and could potentially be exploited by worms.

0x03 Affected Versions#

• Windows 10 version 1903 for 32-bit systems
• Windows 10 version 1903 for x64-based systems
• Windows 10 version 1903 for ARM64-based systems
• Windows Server 1903 (Server Core installation)
• Windows 10 version 1909 for 32-bit systems
• Windows 10 version 1909 for x64-based systems
• Windows 10 version 1909 for ARM64-based systems
• Windows Server 1909 (Server Core installation)

Individual users can use win+r and enter winver to check their current Windows version:

0x04 Vulnerability Detection#

Qihoo 360 Non-destructive Scanner:

Python script:

Usage:

python scanner.py <IP>

Nmap detection script (nse script)

nmap --script=CVE-2020-0796 <IP>

Powershell detection script

By default, Windows does not execute untrusted PowerShell scripts, so you need to set set-executionpolicy remotesigned and select Y.

0x05 Vulnerability Exploitation#

Elevation of privilege GitHub

0x06 Vulnerability Fix#

1. Tencent PC Manager SMB Vulnerability Fix Tool

2. Antiy SMBv3 RCE Vulnerability Enhancement Tool

3. Official Microsoft Patch

4. Disable SMBv3 Compression

If you are unable to install the patch immediately, it is recommended to disable SMBv3 compression.

No restart is required, and this can prevent remote command execution, but it cannot prevent attacks against SMB clients.

powershell:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Reference articles:

• Microsoft SMBv3 Client/Server Remote Code Execution Vulnerability Security Advisory (CVE-2020-0796)
• CVE-2020-0796: Another Patch Battle
• CVE-2020-0796: Microsoft SMBv3 Protocol RCE Detection
• Win-SMBGhost-RCE Vulnerability Detection and Defense
• CVE-2020-0796: SMBv3 RCE vulnerability in SMBv3 (GhostSMB)
• Update: Remote Non-destructive Scanning Tool Released | Microsoft Windows SMBv3 Service Remote Code Execution Vulnerability (CVE-2020-0796) Advisory
• CVE-2020-0796 Local Privilege Escalation Reproduction
• Updated: In-depth Analysis of Microsoft SMBv3 Client/Server Remote Code Execution Vulnerability (CVE-2020-0796)