Hello, today I’m going to explain the vulnerability on SMBv3 aka SMBGhost, for the time being Microsoft has released an urgent patch ” KB4551762 “, and for the record I wrote a small script to apply a workaround until the users update there systems “Click Here” , So how this vulnerability works? in the the SMB protocol there is a parameter called compression, and this will allow to compress and decompress data and guess what Microsoft pass it without checking and validating the buffer size and the result is an integer overflow vulnerability in the ” Srv2DecompressData” function in srv2.sys. check the picture below and you can see the assembly instructions
And from this an attacker can take a full RCE without any username or password. That’s why Microsoft recommended to to disable the compression option until they fixes the problem, the issue is just a validation for the buffer size before passing it to the argument. and for sure you can take a blue screen of death just for exploiting it since it’s a driver and an overflow can cause this easily. sometimes I find that even big companies can easily fall into the trap of not checking their inputs or they just treat it as something clean and no one can reach there or find it.
Before Months started to get this annoying update popup for updating my Parallel Desktop and I kept cancelling the update by clicking “Remind me Later” but the last time I was free and I thought lets see what will happen If I clicked install now and check what will happen after. it wasn’t my intention to really update the app I was carious of how to get rid of the alert without actually updating the software and that’s how it all started.
The Vulnerability Information as follows:
It will allow a remote attacker to give false and fake updates to the user remotely with a text of the attacker choice like which features are available on the app, and he can put malicious links as will to trick the user of clicking it and download entirely not related martial. And in the same time an attacker can supply the path of the application he wish to download into the user machine if the user choose to click on “update now” button. This of course will allow the attacker to gain access to the user machine with higher privileges. usually it’s root. This attack can take place as Man in the middle aka MITM or a local attacker can perform it to get higher access on the same machine. Tried to inform the company with no single reply from there side. I will not release the exploit code until the company fixes the vulnerability since we don’t need more attacks. What happened in the first of 2020 is more than enough 🙂