Beware! A fully functional SMBGhost exploit will be coming soon!

A proof-of-concept remote code execution exploit for the Windows 10SMBGhost” vulnerability (CVE-2020-0796) was developed and presented yesterday by Yuki Koike, a researcher by Ricerca Security.

The vulnerability, that only impacts specific versions of Windows 10 and Windows Server, was found in the Microsoft Server Message Block 3.1.1 and was leaked [2] during last month’s Patch Tuesday after being accidentally published by a number of security vendors part of Microsoft Active Protections Program.

Researcher demoed a PoC RCE exploit, published a paper [1] with all the technical details, and shared a video demo:


Should I be worried?

Mildly! Ricerca Security has decided not to share their exploit to avoid having it fall in the wrong hands:

We have decided to make our PoC exclusively available to our customers to avoid abuse by script kiddies or cybercriminals

However, if you haven’t yet patched your systems against CVE-2020-0796, you should do it as soon as possible and, if you can’t update at the moment, Microsoft’s recommends disabling SMBv3 compression: please refer to my previous post [2] for technical details.


References

  1. “I’ll ask your body”: SMBGhost pre-auth RCE abusing Direct Memory Access structs
  2. SMBGhost (CVE-2020-0796): a new wormable Windows SMBv3 vulnerability

Related posts

  1. Weekly Cybersecurity Roundup #13
  2. Wietze Beukema: almost 300 Windows 10 executables are vulnerable to DLL hijacking
  3. How to monitor battery healt and optimize power consumption on Windows 10 laptops without additional softwares
  4. Weekly Cybersecurity Roundup #10
  5. Windows Forensic Analysis: some thoughts on RDP related Event IDs