Explaining SMBv3 CVE-2020-0796 or SMBGhost

Hello, today I’m going to explain the vulnerability on SMBv3 aka SMBGhost, for the time being Microsoft has released an urgent patch ” KB4551762 “, and for the record I wrote a small script to apply a workaround until the users update there systems “Click Here” , So how this vulnerability works? in the the SMB protocol there is a parameter called compression, and this will allow to compress and decompress data and guess what Microsoft pass it without checking and validating the buffer size and the result is an integer overflow vulnerability in the ” Srv2DecompressData” function in srv2.sys. check the picture below and you can see the assembly instructions

And from this an attacker can take a full RCE without any username or password. That’s why Microsoft recommended to to disable the compression option until they fixes the problem, the issue is just a validation for the buffer size before passing it to the argument. and for sure you can take a blue screen of death just for exploiting it since it’s a driver and an overflow can cause this easily. sometimes I find that even big companies can easily fall into the trap of not checking their inputs or they just treat it as something clean and no one can reach there or find it.

Leave a Reply

Your email address will not be published. Required fields are marked *