Recently , a vulnerability become popular in the underground forums and many news sites by the name , SMBGhost(CVE-2020-0796) which affects the Server Message Block protocol running on the port 445 or 139 of the current system . This protocol helps the users on a network to share , edit their resources on the SMB server . The vulnerability can be recognized as a mass wormable attack that if an attacker wants to,using this vulnerability can cause a great damage to the network in which the victim is present . This bug affects the Windows 10 versions 1903 and 1909 .This vulnerability existed due to the SMB server cannot able to handle the maliciously craft packets that cause the buffer overflow of the target server which can even affect the whole network . The bug existed in the integer overflow of Srv2DecompressData function in the srv2.sys SMB server driver . This vulnerability is the most commonly used in attack around the globe and the same vulnerability was exploited during the WannaCry and NotPetya ransomware outbreaks in 2017, using the EternalBlue exploit allegedly developed by the NSA and leaked by the Shadow Brokers hacking group in April 2017.
HOW TO EXPLOIT THE SMB VULNERABILITY
In this article I shall be explaining how can you exploit the newly emerged blue SMB vulnerability . Why is it called blue SMB ? It is so because when you exploit this vulnerability you get a blue screen which is due to Denial of Service attack due to buffer overflow on the SMB server.
Environment Setup :
- The exploit works in the windows version 1903 or 1909 . Make sure that you have the required version to test the vulnerability or else you can download the required .iso file from Internet.
- Make sure the python3 is installed in your system. ( python2 is not supported )
Proof Of Concept (POC) for the given exploit :
Note:- Initially the developers of the exploit have made the exploit to test on localhost but it is possible to do remote code execution for the same vulnerability for which exploit will later be created .
The exploit which I will use is the Local Privilege Escalation (LPE) to exploit the SMB vulnerability . This exploit is use to escalate local privileges of the user to that with administrative privileges on the system .
- Download the zip folder of LPE exploit for the SMB vulnerability using the link :
https://github.com/ZecOps/CVE-2020-0796-LPE-POC.git
- After cloning the exploit , unzip it .
- Click on the file poc.py. It will exploit the vulnerability and give you the administration priveledges .
- But sometimes the poc.py file do not able to run and thus we need to run the exploit alternatively .
- Select and copy the location of the poc.py file and then open the command prompt .
- On the shell window , type cd <location_of_poc.py> and press enter .
- Now you have entered the location of the exploit in the console and now we will run the exploit here .
- As the exploit is written in the python , we need python to run it .
- Type python3 poc.py.
- Wait for a minute or two .
- Now you will have the access to system32 folder.
- As you entered in the system32 , it means you have been granted administrative rights which is the aim of this exploit i.e. Local Privilege Escalation.
- Type whoami to check your authority.
CONCLUSION
Though initially this exploit can be used for the Local Privilege Escalation against this vulnerability but soon with more research and time , exploit can trigger remote code execution also . This vulnerability has been patched by Microsoft. Therefore it is advisable that :
- Keep up-to-date servers and endpoints to the latest Windows version to remediate this vulnerability.
- If possible disable SMBv3.1.1 compression of data in order to avoid trigger using the power shell command.
- If possible, block port 445 until updates are deployed.
RSU is security researcher who is constantly working to make world a secure place to live. He is working day and night in Cyber Security area.