Radu-Emanuel Chiscariu
Security Research Engineer
Blog

SMBGhost - An Overview of CVE-2020-0796

March 22, 2020 by Radu-Emanuel Chiscariu

On March 11, Microsoft released its monthly software update for Microsoft Windows, an event commonly referred to as “Patch Tuesday”. This update contained the largest number of security patches in Microsoft’s history — totaling 115 vulnerabilities. Some of them were critical issues, such as CVE-2020-0852, CVE-2020-0852, CVE-2020-0905, CVE-2020-0684, CVE-2020-0872 and last but not the least, CVE-2020-0796, our topic of discussion. Pieces of information regarding this possibly "wormable" security issue in the Microsoft Server Message Block (SMB) protocol have accidentally leaked online before Microsoft released the regular patches for Windows clients to download. Similar to EternalBlue, the exploitation of this vulnerability does not require authentication and leads to remote code execution on the targeted machine after a successful attempt.

Details

CVE-2020-0796 is a security issue introduced in recent versions of Windows 10 builds 1903 and 1909 and Windows Server 2016. The vulnerability affects the compression feature of SMB3 protocol. More exactly, the newer SMB protocol version 3.1.1 allows a client or server to advertise their supported compression capabilities. Moreover, for better performance, during an SMB exchange, the SMB3 messages can be compressed, and a transformed header is prepended to the compressed packet. To make use of this feature, both the client and server must include the SMB2_COMPRESSION_CAPABILITIES field.

The header is a small (16 bytes) structure containing a magic value (ProtocolID), the uncompressed data size (OriginalCompressedSegmentSize), the compression algorithm used (CompressionAlgorithm), and an offset value used when chaining compressed packets (Offset/Length):

1

SMB3 compressed packet header structure

The vulnerability lies in the Microsoft Windows srv2.sys SMB kernel driver, which processes SMB packets. Any Windows instance containing srv2.sys file version 10.0.18362.329 is vulnerable.

2

Vulnerable srv2.sys SMB kernel driver

When negotiating an SMB3 exchange, the SMB endpoint (that receives an SMB packet with the SMB2 COMPRESSION_TRANSFORM_HEADER) calls srv2!Srv2DecompressData() to decompress it. This function allocates a buffer and then calls srvnet!SmbCompressionDecompress to decompress the payload. The actual size of the buffer allocated in memory is computed by adding the value of the OriginalCompressedSegmentSize field to the value of the Offset/Length field, placing the result in an unsigned 32-bit register. The issue here is that this addition is made without ensuring that the register can accommodate the sum’s result. As the two values are within the control of the attacker, if their sum exceeds 0xFFFFFFFF, an integer overflow will occur, and a buffer with an abnormally small size will be allocated.

3

Disassembly for srv2.sys version 10.0.18362.329; comments added for clarity

As the original size of the payload within the SMB3 packet is bigger than the resulting size of the buffer, when srvnet!SmbCompressionDecompress is called to decompress data, a kernel-based buffer overflow occurs. 

In-the-Wild Activity

With the beginning of March, our honeypots detected a sudden increase of SMB related activity, culminating with 63,322 scans on 13rd of March, immediately after Microsoft released the security advisory for CVE-2020-0796. These events are most probably caused by scans for vulnerable or exposed SMB servers.

4

There are also multiple Proof-Of-Concept BSOD exploits that appeared shortly after Microsoft published the advisory, that can be used for DOS attempts:

5

Gauging the impact of this security issue, at the time of writing, an approximate 48,000 hosts appear to be vulnerable to CVE-2020-0796, as reported by Kryptos Logic:

6

Prevention

As the vulnerability is still unpatched at the time of writing, we recommend following Microsoft’s guidelines to preventing SMB traffic from lateral connections and entering or leaving the network. If intrusion detection devices such as Snort are employed, the following Snort rules can be used to detect SMB exchanges that make use of the compression feature:

alert tcp any any -> any 445 (msg:"Alert: SMBv3 Used with compression - Client to server"; content:"|fc 53 4d 42|"; offset: 0; depth: 10; sid:1000001; rev:1; reference:url,//portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796;)

alert tcp any 445 -> any any (msg:"Alert: SMBv3 Used with compression - Server to client"; content:"|fc 53 4d 42|"; offset: 0; depth: 10; sid:1000002; rev:1; reference:url,//portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796;)

Our team has developed a strike for CVE-2020-0796 that is available starting with the BreakingPoint ATI Strikepack 381858. 

LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS

Ixia's Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and vulnerabilities for use with Ixia test platforms. The ATI Research Center continuously monitors threats as they appear in the wild. Customers of our BreakingPoint product have access to strikes for different vulnerabilities targeting Microsoft products, allowing them to test their currently deployed security controls’ ability to detect or block such attacks.