{"id":14667,"date":"2020-06-06T08:42:02","date_gmt":"2020-06-06T06:42:02","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=14667"},"modified":"2020-06-06T08:42:02","modified_gmt":"2020-06-06T06:42:02","slug":"windows-10-poc-for-smbghost-vulnerability","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/06\/06\/windows-10-poc-for-smbghost-vulnerability\/","title":{"rendered":"Windows 10: PoC for SMBGhost vulnerability"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/win102.jpg\" width=\"58\" align=\"left\" height=\"58\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/06\/06\/windows-10-poc-fr-smbghost-schwachstelle\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Users of Windows 10 systems should patch them, as a new proof of concept (PoC) for the SMBGhost vulnerability has become public. Here are a few details about that.<\/p>\n<p><!--more--><\/p>\n<h2>SMBGhost Vulnerability CVE-2020-0796<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg04.met.vgwort.de\/na\/f6f54ebecb8c4d1e8fbbcc14fe3194ff\" width=\"1\" height=\"1\">There is a serious but patched vulnerability in the SMBv3 network protocol in Windows. This could allow the spread of worms, but is not currently exploited. Microsoft provided the information in a security advisory <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/ADV200005\" target=\"_blank\" rel=\"noopener noreferrer\">ADV200005<\/a> (see also my blog post <a href=\"https:\/\/www.borncity.com\/blog\/2020\/03\/11\/windows-smbv3-0-day-schwachstelle-cve-2020-0796\/\">Windows SMBv3 0-day-Schwachstelle CVE-2020-0796<\/a>). Microsoft has released on March 12, 2020 an out-of-band security update <a href=\"https:\/\/support.microsoft.com\/help\/4551762\/\">KB4551762<\/a> for the SMBv3 vulnerability CVE-2020-0796 in Windows 10 and Windows Server (see my blog post <a href=\"https:\/\/borncity.com\/win\/2020\/03\/12\/windows-10-patch-for-smbv3-vulnerability-cve-2020-0796\/\">Windows 10: Patch for SMBv3 Vulnerability CVE-2020-0796<\/a>).<\/p>\n<p>The problem is that this update causes installation errors for some users. I had pointed out such problems in the blog post <a href=\"https:\/\/www.borncity.com\/blog\/2020\/03\/13\/windows-10-fehler-0x800f0988-0x800f0900-bei-kb4551762\/\">Windows 10: KB4551762 causes error 0x800f0988\/0x800f0900<\/a>. Bleeping Computer has collected more errors in <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/windows-10-kb4551762-security-update-fails-to-install-causes-issues\/\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a> (see also my blog post <a href=\"https:\/\/borncity.com\/win\/2020\/03\/19\/news-about-the-windows-smbv3-vulnerability-smbghost\/\">News about the Windows SMBv3 vulnerability SMBGhost<\/a>).<\/p>\n<h2>Proof of concept, patching required<\/h2>\n<p>Those who have not yet closed the SMBGhost vulnerability CVE-2020-0796 on affected machines with an update should definitely react now. Because it is a matter of time that the (numerous) unpatched machines will be attacked by cyber criminals via this vulnerability.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Windows 10 SMBGhost bug gets public proof-of-concept RCE exploit &#8211; <a href=\"https:\/\/twitter.com\/Ionut_Ilascu?ref_src=twsrc%5Etfw\">@Ionut_Ilascu<\/a><a href=\"https:\/\/t.co\/B6r4bQbaHi\">https:\/\/t.co\/B6r4bQbaHi<\/a><\/p>\n<p>\u2014 BleepingComputer (@BleepinComputer) <a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1268962576748228609?ref_src=twsrc%5Etfw\">June 5, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>From the above tweet from Bleeping Computer and the <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/windows-10-smbghost-bug-gets-public-proof-of-concept-rce-exploit\/\" target=\"_blank\" rel=\"noopener noreferrer\">related article<\/a> I gather that there have been attempts (<a href=\"https:\/\/twitter.com\/VK_Intel\/status\/1266243264077684736\" target=\"_blank\" rel=\"noopener noreferrer\">1<\/a>, <a href=\"http:\/\/twitter.com\/VK_Intel\/status\/1266790122378444802\" target=\"_blank\" rel=\"noopener noreferrer\">2<\/a>) in the past to exploit the vulnerability for Trojans. However, a security researcher has now published a proof of concept <a href=\"https:\/\/github.com\/chompie1337\/SMBGhost_RCE_PoC\" target=\"_blank\" rel=\"noopener noreferrer\">SMBGhost_RCE_PoC<\/a> on GitHub that can be used to exploit the vulnerability. The exploit is based on a physical read primitive, the security researcher told BleepingComputer. The PoC code was used to demonstrate this interesting primitive. BlueScreens (BSOD) are usually available &#8211; but the researcher says this primitive may make it easier to exploit future memory corruption errors in SMEs. At the moment an information leak is needed for remote exploitation. However, the primitive would allow a less complicated method. Security researcher Will Dormann has tested the PoC and received different results &#8211; it is considered not yet a fool proof approach.<\/p>\n<p>But there are indications from other security researchers that the PoC works with modifications. Between the lines of the Bleeping Computer article I also read that corresponding information should be published in the next days. The whole thing is therefore a reminder that administrators should take care of a patch (if not already done) &#8211; or alternatively disable SMBv3 compression. For more details, please see the related <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/windows-10-smbghost-bug-gets-public-proof-of-concept-rce-exploit\/\" target=\"_blank\" rel=\"noopener noreferrer\">article from Bleeping Computer<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Users of Windows 10 systems should patch them, as a new proof of concept (PoC) for the SMBGhost vulnerability has become public. Here are a few details about that.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22,2],"tags":[766,69,655,76],"class_list":["post-14667","post","type-post","status-publish","format-standard","hentry","category-security","category-update","category-windows","tag-patch","tag-security","tag-smb","tag-windows-10"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/14667","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=14667"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/14667\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=14667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=14667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=14667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}