Skip to content
CVE2020-0796 SMBv3 RCE
Lua Python
Branch: master
Clone or download

Latest commit

Latest commit 66bdde3 Mar 15, 2020

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
nse_script added nse script Mar 11, 2020
pcaps added snort and pcap Mar 15, 2020
python_script added python script Mar 11, 2020
snort_rules added snort and pcap Mar 15, 2020
LICENSE
README.md Update README.md Mar 15, 2020

README.md

CVE2020-0796

For more information see in https://blog.claroty.com/advisory-new-wormable-vulnerability-in-microsoft-smbv3

SMBv3 Compression Tester

Multiple scripts and detection tools to check if a Windows machine has SMBv3 protocol enabled with the compression feature.

  • NSE script
  • Python script
  • Snort rules:
    • alerting on compressed SMB traffic, and compression-enabled hosts
    • alerting on a DoS implementation of the vulnerability
  • pcaps - examples of traffic using SMBv3 compression, and implementation of a DoS attack using the vulnerability

Notes

Our NSE script is based on smb2-capabilities.nse which we expanded to detect SMBv3 compression as well. Currently it's a standalone NSE script with a patched lua file but we will PR the nmap repository with those changes.

Example

Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-03-11 18:17 IST
Nmap scan report for 1.2.3.4
Host is up (0.00050s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb2-capabilities_patched:
|   2.02:
|     Distributed File System
|   2.10:
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.00:
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.02:
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.11:
|     Distributed File System
|     Leasing
|     Multi-credit operations
|_    SMBv3 Compression LZTN1 (Negotiation Context)   <----------

Supported CVEs

  • CVE2020-0796

Requirements

  • nmap

Usage

cd into run SMBv3Compression (your cwd must be the same as the files) and run:

nmap -p445 --script ./smb2-capabilities_patched.nse IP_ADDR

Search for SMBv3 Compression LZTN1 (Negotiation Context).

Disable SMBv3 compression

You can disable SMBv3 compression with the PowerShell command below:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

License

Apache License 2.0. See the parent directory.

Disclaimer

There is no warranty, expressed or implied, associated with this product.

You can’t perform that action at this time.