CVE-2020-0796 – SMBGhost RCE Vulnerability

Description and Impact

Also known as CoronaBlue, EternalDarkness and SMBleedingGhost, this critical buffer-overflow pre-authentication RCE vulnerability affects Microsoft SMB version 3.1.1 that have SMBv3 Compression enabled. It occurs when the server attempts to decompress a data packet with malformed header, causing a memory buffer overflow. That overflow can cause memory corruption, crashing the kernel and allowing an attacker to execute arbitrary code.

This vulnerability can affect both servers and clients. To affect a server, the attacker could send a compressed data packet with the malformed header to that server. To exploit it against a client, a malicious SMBv3 server must be created by the attacker and trick a user into connecting to it.

The following products and versions are affected:

Product	Version
Windows Server	1903
Windows Server	1909
Windows 10	1903 for x86-32bit, x86-64bit, ARM-64bit Systems
Windows 10	1909 for x86-32bit, x86-64bit, ARM-64bit Systems

Lifecycle and Trend

This vulnerability was disclosed on March 10^th, 2020 accidentally in a security vendor’s blog for March’s Microsoft Patch Tuesday. The accidental disclosure of the vulnerability identified it as CVE-2020-0796. This was confirmed by Microsoft on March 12^th, 2020, and released an out-of-band patch.

With the beginning of March, Keysight’s honeypots detected a sudden increase in SMB related activity with 63,322 scans on 13^th of March.

Multiple POCs were released after Microsoft published the security advisory.

Programming Flaw

There are two main flaws leading to this vulnerability:

Improper Input Validation: When the server receives a compressed data packet, it doesn’t add a check for the size of uncompressed data before starting the decompression. This check should be added, and if the size is too large, then reject the packet.
Missing Memory Allocation Checks: Before writing decompressed data to the buffer, the process doesn’t ensure that the buffer has adequate space. This check should be added to make sure of that. Depending on the result, it should decide whether to accept or reject the packet.

Exploitation Methodology

This vulnerability can be exploited through the integer overflow bug in the Srv2DecompressData function in the Srv2.sys file. This vulnerability can be triggered when the SMB server receives a malformed SMB2_Compression_Transform_Header. After that, the Srv2DecompressData function creates a buffer to hold the decompressed data. The function computes the buffer size by adding the “OriginalSize” to the “Offset”. After the buffer size has been calculated, it passes the size to the SrvNetAllocateBuffer function to allocate the buffer. The overflow caused the kernel to allocate a buffer that was much smaller than it should be. This caused memory corruption and can crash the kernel.

An exploit has been developed on Metasploit: exploit/windows/smb/cve_2020_0796_smbghost

Log Traces

The following network logs should indicate attempts to exploit this vulnerability:

Spikes in SMB Traffic
Specific packet patterns with compression flag set and an anomalous size value

IDS Detection

Fortinet

Signature ID : 48773 MS.SMB.Server.Compression.Transform.Header.Memory.Corruption

Cisco Snort

1:53427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules) 1:53428 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules) 1:53426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules) 1:53425 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules)

McAfee IPS

Attack Name: NETBIOS-SS: Samba Remote Code Execution Vulnerability (CVE-2020-0796) Attack ID: 0x43c0e600