8th July 2020
CVE-2020-0796 workaround by T13nn3s

CVE-2020-0796: SMBv3 RCE vulnerability in SMBv3 (GhostSMB)

CVE-2020-0796 is a remote code execution vulnerability in SMBv3. An attacker could exploit this bug by sending a specially crafted package to the target SMBv3 server, which the victim needs to connect to. Users are encouraged to SMBv3 compression and block TCP port 445 on firewalls and client computers. The exploitation of this vulnerability opens systems up to a “wormable” attack, which means it would be easy to move from victim to victim.

Go directly to the CVE-2020-0976 timeline => CVE-2020-0976 Timeline.
Microsoft has released a patch KB4551762 for fixing the SMBV3 vulnerability. => CVE-2020-0976 Patch

I just want to share with you this article. In the evening on the 10th of March 2020, I saw in my twitter feed a message from MalwareHunterTeam about a “wormable” SMBv3 vulnerability.

CVE-2020-0796
The twee from MalwareHunterTeam

After this announcement, Microsoft has released a security advisory for a Remote Code Execution vulnerability that has been found in the SMBv3 (SMBv3.1.1) protocol. By sending a specially crafted package to the target SMBv3 server, an attacker can exploit this Buffer Overflow Vulnerability, from the context of an application to execute random code on the server. More technical details have been disclosed, we have only some information which has been shared by the security company’s Cisco and Fortinet. It seems that this vulnerability was leaked accidentally.

According to some reports, this is a “worm” that could easily move from victim to victim as we have seen before with WannaCry and NotPetya. Unlike WannaCry and NotPetya, CVE-2020-0796 is limited to SMBv3 and has no effect on Windows Server 2008 R2 and Windows 7 systems.

Affected Products

According to Microsoft, this vulnerability exists in a newly added feature to Windows 10 version 1903. Older versions of Windows do not support SMBv3.1.1 compression.

ProductImpactSeverity
Windows 10 Version 1903 for 32-bit SystemsRemote Code ExecutionCritical
Windows 10 Version 1903 for ARM64-based Systems Remote Code ExecutionCritical
Windows 10 Version 1903 for x64-based Systems Remote Code Execution Critical
Windows 10 Version 1909 for 32-bit Systems Remote Code Execution Critical
Windows 10 Version 1909 for ARM64-based Systems Remote Code Execution Critical
Windows 10 Version 1909 for x64-based Systems Remote Code Execution Critical
Windows Server, version 1903 (Server Core installation) Remote Code Execution Critical
Windows Server, version 1909 (Server Core installation) Remote Code Execution Critical

Proof Of Concept (POC)

There is also not a Proof Of Concept published yet. SophosLabs has developed a proof-of-concept exploit for the scenario that the attacker is already inside the network. SophosLabs has released a video demonstrating the exploit for this scenario.

Mitigations

Microsoft has not identified any mitigation for this vulnerability. On 12 march Microsoft has released the update KB4551762. This update would solve the vulnerability in SMBv3.

Workaround

Microsoft has released a workaround for CVE-2020-0796. The workaround is to disable SMBv3 compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. I have written a Powershell script that can be used for this workaround. I have published this script on Github: https://github.com/T13nn3s/CVE-2020-0976.

Scan HOST/CIDR with nmap script

nikallass has placed a script on Github which can determine if the target has the vulnerable SMB version and whether compression is enabled or not by using Nmap. Repository on Github: https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394

CVE-2020-0976 vulnerability checker

dickens88 has released a Python script on Github which can determine if the target is been vulnerable for CVE-2020-0976. Repository on Github: https://github.com/dickens88/cve-2020-0796-scanner/.

Microsoft patched CVE-2020-0976 (KB4551762)

On 12 March Microsoft has released out of band updates to fix the SMBv3 vulnerability. The update is available through the Windows Update or through direct download: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4551762.

Timeline

March 10, 2020

Vulnerability got leaked

The vulnerability got leaked

March 10, 2020
March 10, 2020

Fortinet Threat Lookup

CVE-2020-0796 is added to the Threath Lookup from FortiGuard Labs.

March 10, 2020
March 11, 2020

Microsoft Security Advisory

Microsoft has released the ADV200005.

March 11, 2020
March 11, 2020

T13nn3s created workaround script

According to ADV200005, T13nn3s has build and uploaded a Powershell Script with the workaround to Github.

March 11, 2020
March 11, 2020

Microsoft Security Advisory updated

Microsoft has updated the ADV200005 with clarifying statements to the workaround.

March 11, 2020
March 11, 2020

nikallass released SMBv3.1.1 CVE-2020-0796 checker

Bash script to check if target has SMBv3.1.1 with compression.

March 11, 2020
March 12, 2020

Dickens88 released a CVE-2020-0976 vulnerability scanner

Python script which determines if the target host is vulnerable for CVE-2020-0976

March 12, 2020
March 12, 2020

Microsoft released a patch for CVE-2020-0976

Microsoft has released out of band update KB4551762 and is available through Windows Update or through direct download.

March 12, 2020
March 12, 2020

SophosLabs has developed a POC

SophosLabs’ Offensive Research has developed a proof-of-concept exploit for the ‘attacker already inside’ scenario.

March 12, 2020
March 10, 2020

T13nn3s updated workaround script

Script now also checking whether the required Windows Update is installed or not.

March 10, 2020

Microsoft has patched this vulnerability, any other details regarding this vulnerability are not yet revealed, so there is still no test if the vulnerability is fixed by installing the KB4551762 update. As long as the exploit is not publicly available, I do not expect active attacks and abuse of this vulnerability.

References

T13nn3s

I'm a cyber security enthusiast! I love my work, I love writing scripts and doing research and pen testing. Big fan of Hack The Box and I learn new things every day to make the internet safer. I blog because I love to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: