Skip to content
PoC for triggering buffer overflow via CVE-2020-0796
Python
Branch: master
Clone or download

Latest commit

Joseph Allen
Latest commit 5378663 Mar 14, 2020

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
smbclient modified PoC to work unauthenticated Mar 14, 2020
smbprotocol modified PoC to work unauthenticated Mar 14, 2020
CVE-2020-0796.py make script exit if no arguments Mar 14, 2020
LICENSE added PoC Mar 12, 2020
README.md modified PoC to work unauthenticated Mar 14, 2020
requirements-test.txt added PoC Mar 12, 2020
setup.cfg added PoC Mar 12, 2020
setup.py added PoC Mar 12, 2020

README.md

CVE-2020-0796 PoC aka CoronaBlue aka SMBGhost

Usage

./CVE-2020-0796.py servername

This script connects to the target host, and compresses the authentication request with a bad offset field set in the transformation header, causing the decompressor to buffer overflow and crash the target.

This contains a modification of the excellent smbprotocol with added support for SMB 3.1.1 compression/decompression (only LZNT1). Most of the additions are in smbprotocol/connection.py. A version of lznt1 is included, modified to support Python 3.

The compression transform header is in the SMB2CompressionTransformHeader class there. The function _compress is called to compress tree requests. This is where the offset field is set all high to trigger the crash.

    def _compress(self, b_data, session):
        header = SMB2CompressionTransformHeader()
        header['original_size'] = len(b_data)
        header['offset'] = 4294967295
        header['data'] = smbprotocol.lznt1.compress(b_data)

About

CVE-2020-0796 is a bug in Windows 10 1903/1909's new SMB3 compression capability. SMB protocol version 3.1.1 introduces the ability for a client or server to advertise compression cabilities, and to selectively compress SMB3 messages as beneficial. To accomplish this, when negotiating an SMB session, the client and server must both include a SMB2_COMPRESSION_CAPABILITIES as documented in MS-SMB2 2.2.3.1.3.

Once a session is negotiated with this capability, either the client or the server can selectively compress certain SMB messages. To do so, the entire SMB packet is compressed, and a transformed header is prepended, as documented in MS-SMB2 2.2.42. This header is a small (16 bytes) structure with a magic value, the uncompressed data size, the compression algorithm used, and an offset value.

CVE-2020-0796 is caused by a lack of bounds checking in that offset size, which is directly passed to several subroutines. Passing a large value in will cause a buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.

You can’t perform that action at this time.