A proof-of-concept remote code execution exploit for the Windows 10 "SMBGhost" vulnerability (CVE-2020-0796) was developed and presented yesterday by Yuki Koike, a researcher by Ricerca Security.



The vulnerability, that only impacts specific versions of Windows 10 and Windows Server, was found in the Microsoft Server Message Block 3.1.1 and was leaked [2] during last month's Patch Tuesday after being accidentally published by a number of security vendors part of Microsoft Active Protections Program.

Researcher demoed a PoC RCE exploit, published a paper [1] with all the technical details, and shared a video demo:


Should I be worried?

Mildly! Ricerca Security has decided not to share their exploit to avoid having it fall in the wrong hands:

We have decided to make our PoC exclusively available to our customers to avoid abuse by script kiddies or cybercriminals

However, if you haven't yet patched your systems against CVE-2020-0796, you should do it as soon as possible and, if you can't update at the moment, Microsoft's recommends disabling SMBv3 compression: please refer to my previous post [2] for technical details.


References

  1. "I'll ask your body": SMBGhost pre-auth RCE abusing Direct Memory Access structs
  2. SMBGhost (CVE-2020-0796): a new wormable Windows SMBv3 vulnerability