Working exploit code that achieves remote code execution on Windows 10 machines is now publicly available for CVE-2020-0796, a critical vulnerability in Microsoft Server Message Block (SMB 3.1.1).
More refined versions of the exploit are expected to emerge, especially since at least two cybersecurity companies created exploits for the vulnerability and have been holding back the release since April.
Critical severityKnown by various names (SMBGhost, CoronaBlue, NexternalBlue, BluesDay), the security flaw can be leveraged by an unauthenticated attacker to spread malware from one vulnerable system to another without user interaction.
SMBGhost affects Windows 10 versions 1909 and 1903, including Server Core. Microsoft patched it in March, warning that exploitation is “more likely” on both older and newer software releases and that it is as critical as can be: maximum severity score of 10.
All an attacker would need to do to exploit it is to send a specially crafted packet to a targeted SMBv3 server. The result would be similar to the WannaCry and NotPetya attacks from 2017, which used the EternalBlue exploit for SMB v1.
Exploit code for SMBGhostAfter the vulnerability leaked in March, security researchers started to find a way to exploit SMBGhost but the results were limited to local privilege escalation (LPE) and denial of service (blue screen).
Cybercriminals have been leveraging the vulnerability to escalate local privileges and deliver malware pieces (1, 2) such as the Ave Maria remote access trojan with keylogging and info stealing capabilities.
While LPE can help attackers in a post-compromise stage, remote code execution (RCE) would get them in and around, making it game over for vulnerable systems.
Almost three months since Microsoft released the patch, a security researcher using the Twitter handle Chompie shared publicly a version of the SMBGhost RCE.
The exploit relies on a physical read primitive, the researcher told BleepingComputer, and that demonstrating this interesting primitive was her intention with the code.
The researcher says that this primitive may allow easier exploitation of future SMB memory corruption bugs. Right now, an information leak is needed for remote exploitation. However, the primitive would permit a less complicated method.
Her code is not 100% reliable and the purpose is to help others expand their knowledge in the reverse-engineering area. “It was written quickly and needs some work to be more reliable,” the researcher states in the readme file.
“Sometimes you BSOD. Using this for any purpose other than self-education is an extremely bad idea. Your computer will burst in flames. Puppies will die.”
Chompie told us that it works best on Windows 10 1903 and that many individuals were able to exploit the bug successfully on this version.
"The existence of this read primitive makes exploitation more straightforward. But because it depends on DMA of tcpip I have achieved inconsistent results that warrant more research," she told us
Will Dormann, the vulnerability analyst for CERT/CC, tested Chompie’s code on a machine running Windows 10 v1909 and obtained inconsistent results for remote code execution. Sometimes the exploit would crash the test system, other times it would just fail.
From an attacker’s standpoint, though, the code does not have to be 100% reliable, Dormann told us. A crash is nothing but a long wait for the next attempt as Windows typically reboots after the memory dump finishes.
If the code simply fails, nothing is stopping the attacker from trying until they achieve the desired effect. When targeting a vulnerable machine, the bad guys just need to be patient and insist until the code works.
Moreover, those with knowledge can tweak it to iron out the wrinkles. And SMBGhost is the type of bug skilled threat actors like to use.
Chompie’s exploit for SMBGhost RCE is not the only one. Startup cybersecurity company ZecOps announced in April that they created an exploit that works when chained with an info leak vulnerability.
On the same day, cybersecurity firm Ricerca Security said that obtaining RCE was not easy and provided proof that it was possible. They also published technical details explaining the strategy and methods that could be used to exploit the SMBGhost.
However, both companies held back from releasing the actual exploit. On April 26, ZecOps said that they would publish the code and a write up after the next Windows update. Chompie says that it will happen in the following days, which is also the reason she decided to make her research public.
[Update]: Article updated with info about the vulnerability being exploited in the wild.
source
