Skip to content
CVE-2020-0796 - a wormable SMBv3 vulnerability. How to work.
Python Shell
Branch: master
Clone or download

Latest commit

Latest commit fd04c32 Mar 24, 2020

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
CVE-2020-0796_Scan_Vul.py Create CVE-2020-0796_Scan_Vul.py Mar 12, 2020
README.md Update README.md Mar 24, 2020
scan_vul_smb_v3.11.sh Update scan_vul_smb_v3.11.sh Mar 12, 2020
snort_rule_smbv3.rules Create snort_rule_smbv3.rules Mar 12, 2020

README.md

CVE-2020-0796

CVE-2020-0796 - a wormable SMBv3 vulnerability.

1. Information.

2. Scan Vul.

3. Infected system.

4. Demo POC.

5. Exploit Script:

6. How to prevent.

7. How to detect?.

8. FAQ.


1. Information:

Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

2. Scan Vul:

  + Usage CVE-2020-0796_Scan_Vul.py: python3 CVE-2020-0796_Scan_Vul.py [IP]
  + Usage scan_vul_smb_v3.11.sh: ./scan_vul_smb_v3.11.sh [IP]

3. Infected system:

  + Windows 10 Version 1903 for 32-bit Systems
  + Windows 10 Version 1903 for ARM64-based Systems
  + Windows 10 Version 1903 for x64-based Systems
  + Windows 10 Version 1909 for 32-bit Systems
  + Windows 10 Version 1909 for ARM64-based Systems
  + Windows 10 Version 1909 for x64-based Systems
  + Windows Server, version 1903 (Server Core installation)
  + Windows Server, version 1909 (Server Core installation)
 

4. Demo POC:

Watch Video POC - https://www.youtube.com/watch?v=7rJXjtmRw3I

5. Exploit Script:

https://coronasmb[.]com[/]download

6. How to prevent?

Patch update from Microsoft is available, update now. Download Patch Now - KB4551762



Workacounds: Disable SMBv3 compression: You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

7. How to detect?.

Rule Snort:
###############
# Rules by Claroty
# This rules will detect SMB compressed communication by the SMB protocol identifier. 
# The use of the offset and depth parameter is designed to prevent false positives and to allow the NetBios Layer
###############
alert tcp any any -> any 445 (msg:"Claroty Signature: SMBv3 Used with compression - Client to server"; content:"|fc 53 4d 42|"; offset: 0; depth: 10; sid:1000001; rev:1; reference:url,//blog.claroty.com/advisory-new-wormable-vulnerability-in-microsoft-smbv3;)
alert tcp any 445 -> any any (msg:"Claroty Signature: SMBv3 Used with compression - Server to client"; content:"|fc 53 4d 42|"; offset: 0; depth: 10; sid:1000002; rev:1; reference:url,//blog.claroty.com/advisory-new-wormable-vulnerability-in-microsoft-smbv3;)

8. FAQ

  • Block TCP port 445 at the enterprise perimeter firewall
TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.
No, the vulnerability exists in a new feature that was added to Windows 10 version 1903. Older versions of Windows do not support SMBv3.1.1 compression.
You can’t perform that action at this time.