Shulou(Shulou.com)05/31 Report--

What this article shares with you is an example analysis of accidental disclosure of Windows SMBv3 worm vulnerabilities. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Phantom, vanishing CVE-2020-0796 loophole

BleepingComputer had previously learned that Microsoft would release a patch for the worm SMBv3 remote code execution vulnerability (CVE-2020-0796) in March, but Microsoft did not.

There is not much information about this vulnerability, but it is so serious that it feels like another EternalBlue type of vulnerability.

CVE-2020-0796 exists in the Server Message Block 3.0 (SMBv3) network communication protocol, resulting from an error in the processing of maliciously constructed compressed packets by SMBv3. Remotely, an unauthenticated attacker can exploit this vulnerability to execute arbitrary code in the context of the application.

Although Microsoft did not issue a security announcement or explanation for the vulnerability, both Fortinet and the CiscoTalos team provided information about the vulnerability, but the CiscoTalos team later deleted it.

Cisco Talos noted that "an attacker can exploit this vulnerability by sending a specially crafted packet to the target SMBv3 server, and the victim needs to connect to the server." exploiting this vulnerability can lead to a worm attack on the system, which means that the vulnerability can easily spread among victims. "

Fortinet noted that if the vulnerability is successfully exploited, a remote attacker can take full control of the user's system. According to the announcement issued by Fortinet, the affected versions are as follows:

0 Windows 10 Version 1903

·Windows Server Version 1903 (Server Core installation)

0 Windows 10 Version 1909

·Windows Server Version 1909 (Server Core installation)

Given that Microsoft has been using SMBv3 since Windows 8 and Windows Server 2012, this vulnerability should affect more versions.

Unfortunately, there is not much other information about this vulnerability. Before Microsoft released the security update for CVE-2020-0796, the mitigation measures that CiscoTalos had removed appear to be the most reliable by far, and Talos recommends that users disable SMBv3 compression and block TCP port 445 on client computers and firewalls.

Microsoft issued a security announcement on how to disable SMBv3 compression to protect the server from vulnerabilities. According to the announcement, users can disable compression on the SMBv3 server using the following PowerShell command (no restart is required). It is important to note that this does not prevent the use of SMB clients.

Set-ItemProperty-Path "HKLM:\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters" DisableCompression-Type DWORD-Value 1-Force

An interesting loophole this month

Using CVE-2020-0872 to steal source code

The CVE-2020-0872 vulnerability is titled "remote Code execution vulnerability in Application Inspector", which can be exploited by attackers to steal the source code of files opened in Application Inspector.

According to Microsoft's security bulletin, a remote code execution vulnerability exists in Application Inspector 1.0.23 and earlier. A remote code execution vulnerability occurs when Application Inspector displays sample code snippets from third-party source files in its HTML output. An attacker can exploit this vulnerability to send a report section containing code snippets to an external server. To exploit this vulnerability, the attacker needs to induce the user to run the source code that Application Inspector contains malicious third-party components.

Weaponized LNK files and Word documents

Two new vulnerabilities fixed by Microsoft this time allow attackers to create a specially crafted .LNK file or Word document to execute code when the user opens the file or document.

The first vulnerability is CVE-2020-0684 and is titled "LNK remote code execution vulnerability". An attacker can exploit this vulnerability to create malicious LNK files that can then execute code. Microsoft said in the announcement that the attacker would show the user a removable driver or remote share containing a malicious .LNK file and associated malicious binaries. When a user opens the driver (or remote share) in Windows Explore or in any application that parses the .LNK file, the malicious binary executes attacker-controlled code on the target system.

The second vulnerability is CVE-2020-0852 and is titled "Microsoft Word remote code execution vulnerability". For an attacker to exploit this vulnerability, the user must open a specially crafted file using the affected Microsoft Word software. An attacker can send an email containing a specially crafted Word attachment to the user and induce the user to open the attachment, or by hosting a website containing specially crafted files, or by hacking into a website that receives or hosts content submitted by the user, to induce the user to open the Word document, thereby executing the code.

To make matters worse, the vulnerability also works on the preview pane of Outlook.

Security update list for patch day on Tuesday, March 2020

The following table shows some of the vulnerabilities fixed by Microsoft on Tuesday this month.

The above is an example analysis of inadvertently revealing Windows SMBv3 worm vulnerabilities. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.