Shulou(Shulou.com)05/31 Report--

What this article shares with you is about how to reproduce the SMBGhost vulnerability CVE-2020-0796. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Brief introduction of vulnerabilities:

The vulnerability is caused by an error caused by SMBv3 when processing maliciously crafted compressed packets, resulting in a buffer overflow on the SMB server. An attacker who successfully exploits this vulnerability can execute code on the targeted SMB server or client.

Threat Typ

Remote code execution

Threat level

High

Vulnerability number

CVE-2020-0796

Affected system and application version

Windows 10 version 1903 (for 32-bit systems)

Windows 10 version 1903 (for ARM64-based systems)

Windows 10 version 1903 (for x64-based systems)

Windows 10 version 1909 (for 32-bit systems)

Windows 10 version 1909 (for ARM64-based systems)

Windows 10 version 1909 (for) x64-based systems

Windows Server version 1903 (server core installation)

Windows Server version 1909 (server core installation)

Vulnerability recurrence: 1. Build environment (1) install python3 environment (2) build windows10 and turn off firewall

(3) check the IP of the virtual machine and whether it can communicate with ping.

(4) use scripts to detect vulnerabilities

Download address of detection tool:

Https://github.com/ollypwn/SMBGhost

Vulnerabilities can be exploited

(5) configure the environment needed to attack poc

Poc address:

Https://github.com/wanghuohuobutailao/SURICATA.rules.ch/raw/master/CVE-2020-0796-PoC-master.rar

(6) run poc after setting up the environment

Success in utilization

2. Repair suggestion

At present, the manufacturer has issued an upgrade patch to fix the vulnerability, and the patch gets the link:

Https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2020-0796

Or you can disable compression of the SMBv3 service using the following PowerShell command (no reboot is required):

Set-ItemProperty-Path "HKLM:\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters" DisableCompression-Type DWORD-Value 1-Force

In addition, you can defend against attacks by preventing SMB traffic from flowing to the outside network.

The above is how to reproduce the SMBGhost vulnerability CVE-2020-0796. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.