https://github.com/cve-2020-0796/cve-2020-0796

Python
CVE-2020-0796 - a wormable SMBv3 vulnerability. How to work.

CVE-2020-0796

CVE-2020-0796 - a wormable SMBv3 vulnerability.

1. Information.

2. Scan Vul.

3. Infected system.

4. Demo POC.

5. Exploit Script:

6. How to prevent.

7. How to detect?.

8. FAQ.

---

1. Information:

Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.
To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

2. Scan Vul:

  + Usage CVE-2020-0796_Scan_Vul.py: python3 CVE-2020-0796_Scan_Vul.py [IP]
  + Usage scan_vul_smb_v3.11.sh: ./scan_vul_smb_v3.11.sh [IP]

3. Infected system:

  + Windows 10 Version 1903 for 32-bit Systems
  + Windows 10 Version 1903 for ARM64-based Systems
  + Windows 10 Version 1903 for x64-based Systems
  + Windows 10 Version 1909 for 32-bit Systems
  + Windows 10 Version 1909 for ARM64-based Systems
  + Windows 10 Version 1909 for x64-based Systems
  + Windows Server, version 1903 (Server Core installation)
  + Windows Server, version 1909 (Server Core installation)
 

4. Demo POC:

Watch Video POC

5. Exploit Script:

Public on 18 March 2020 (After 5 days release patch update from Vendor).

6. How to prevent?

Patch update from Microsoft is available, update now. Download Patch Now - KB4551762

Workacounds: Disable SMBv3 compression: You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

7. How to detect?.

Rule Snort:

###############
# Rules by Claroty
# This rules will detect SMB compressed communication by the SMB protocol identifier. 
# The use of the offset and depth parameter is designed to prevent false positives and to allow the NetBios Layer
###############
alert tcp any any -> any 445 (msg:"Claroty Signature: SMBv3 Used with compression - Client to server"; content:"|fc 53 4d 42|"; offset: 0; depth: 10; sid:1000001; rev:1; reference:url,//blog.claroty.com/advisory-new-wormable-vulnerability-in-microsoft-smbv3;)
alert tcp any 445 -> any any (msg:"Claroty Signature: SMBv3 Used with compression - Server to client"; content:"|fc 53 4d 42|"; offset: 0; depth: 10; sid:1000002; rev:1; reference:url,//blog.claroty.com/advisory-new-wormable-vulnerability-in-microsoft-smbv3;)

8. FAQ

• Block TCP port 445 at the enterprise perimeter firewall

TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

• Follow Microsoft guidelines to prevent SMB traffic from lateral connections and entering or leaving the network Preventing SMB traffic from lateral connections and entering or leaving the network
• Are older versions of Windows (other than what is listed in the Security Updates table) affected by this vulnerability?

No, the vulnerability exists in a new feature that was added to Windows 10 version 1903. Older versions of Windows do not support SMBv3.1.1 compression.