Hello, today I’m going to explain the vulnerability on SMBv3 aka SMBGhost, for the time being Microsoft has released an urgent patch ” KB4551762 “, and for the record I wrote a small script to apply a workaround until the users update there systems “Click Here” , So how this vulnerability works? in the the SMB protocol there is a parameter called compression, and this will allow to compress and decompress data and guess what Microsoft pass it without checking and validating the buffer size and the result is an integer overflow vulnerability in the ” Srv2DecompressData” function in srv2.sys. check the picture below and you can see the assembly instructions
And from this an attacker can take a full RCE without any username or password. That’s why Microsoft recommended to to disable the compression option until they fixes the problem, the issue is just a validation for the buffer size before passing it to the argument. and for sure you can take a blue screen of death just for exploiting it since it’s a driver and an overflow can cause this easily. sometimes I find that even big companies can easily fall into the trap of not checking their inputs or they just treat it as something clean and no one can reach there or find it.
Before Months started to get this annoying update popup for updating my Parallel Desktop and I kept cancelling the update by clicking “Remind me Later” but the last time I was free and I thought lets see what will happen If I clicked install now and check what will happen after. it wasn’t my intention to really update the app I was carious of how to get rid of the alert without actually updating the software and that’s how it all started.
The Vulnerability Information as follows:
It will allow a remote attacker to give false and fake updates to the user remotely with a text of the attacker choice like which features are available on the app, and he can put malicious links as will to trick the user of clicking it and download entirely not related martial. And in the same time an attacker can supply the path of the application he wish to download into the user machine if the user choose to click on “update now” button. This of course will allow the attacker to gain access to the user machine with higher privileges. usually it’s root. This attack can take place as Man in the middle aka MITM or a local attacker can perform it to get higher access on the same machine. Tried to inform the company with no single reply from there side. I will not release the exploit code until the company fixes the vulnerability since we don’t need more attacks. What happened in the first of 2020 is more than enough 🙂
Finally I had time to update Crypto Ghost and Honestly I’m really happy with this update… And in this post I’m going to explain the latest development .. So what’s new ?
First of All I added new Feature and that is “Removing Images Metadata” So what is Images metadata ?
With every image you take there are some information stored simultaneously with it .. and this information considered dangerous for those who care about privacy .. for example the image could contain some GPS coordinates !! and there is more but if you are interested you can read about it here .. bottom line is use Crypto Ghost to remove it from your Photos “How simple is that”.
Second Feature is removing Cache after every process .. and this is good to wipe any information that Crypto Ghost may leave after any process .. and this is good to prevent offline attacks..
Yes one more thing .. I fixed some programming bugs ..
Crypto Ghost is a File encryption application that run on Android platform, it’s only job is protecting your files from unauthorized access by encrypting your files , Crypto Ghost is using modern cryptography ( There is a paper published based on this project) and you can check the specifications of this application and how it’s operate in the official website, Crypto Ghost uses AES Algorithm in GCM mode with 256-bit key size ,Crypto Ghost is a free software no ads and no Internet connectivity required to run the app, The Encryption and Decryption process will run locally in the app without a help of a server Crypto Ghost provide a simple Interface so even non-technical people can use it.