How to detect the Microsoft SMBGhost vulnerability with Pentest-Tools.com
- Updated at
- Reading time
For the past couple of weeks, a critical RCE vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3) has kept both the Microsoft users and the security community on their toes.
To help our customers better detect if their Windows hosts were affected by the critical SMBGhost vulnerability, we developed and added a new, dedicated scanner on Pentest-Tools.com.
As you may know by now, we don’t create new tools for every vulnerability that pops up. Here’s what drove us to build a new scanner and expand the platform.
This vulnerability is particularly serious because it is “wormable” and has the potential to spread quickly from a vulnerable system to another across the internal network. What’s more, the vulnerability reminds of the EternalBlue exploit that caused the WannaCry outbreak.
1. What we know about the SMBGhost vulnerability
On March 10, 2020, during its monthly Patch Tuesday, Microsoft leaked information about a serious SMB vulnerability, which was accidentally discovered by security researchers.
Tracked asCVE-2020-0796, the RCE vulnerability exists in the way Microsoft Server Message Block 3.0 (SMBv3) handles certain requests.
Microsoft SMB v3.1.1 is a protocol mostly used in new operating systems, which means it impacts machines that run: Windows 10(versions 1903 and 1909) and Windows Server (1903 and 1909).
The vulnerability doesn’t expose older versions like Windows 7, 8, or 8.1 because they don’t support SMBv3.1.1 compression.
To exploit this vulnerability, an unauthenticated attacker sends a specially crafted packet to the targeted SMBv3 server and “convinces users to connect to it”, Microsoft said in the security advisory update.
Successful exploitation could allow hackers to execute code on the target SMB Server or SMB Client. However, a working RCE exploit hasn’t been spotted until we published this article. It seems to be difficult to create one, considering the existing safeguards implemented in the Windows kernel.
An in-depth technical analysis of this vulnerability concluded that certain SMB packets could cause a buffer overflow and crash the Windows host by getting the BSOD (Blue Screen of Death) message.
Proof of concepts to create a denial of service attack (BSOD) are already available, including short demo videos from security researchers.
2. How does the Pentest-Tools.com SMBGhost scanner work?
Our goal with this tool is to make it easy to discover if your Windows machines run the risk of exposure to the SMBGhost vulnerability.
The SMBGhost scanner we developed checks the SMB version of the target host o identify if the SMB service has compression enabled. It starts by scanning the TCP 445 port, commonly used by the Windows file sharing service.
The scanner also allows you to detect Windows hosts that are not vulnerable(e.g. they don’t support SMBv3.1.1 or they have SMBv3 compression disabled).
To verify these settings, our tool tries to initiate an SMB negotiation with the target server, proposing the SMB version 3.1.1 Dialect:
0x0311and compression enabled
NegotiateContextCount: 2.If the SMB response packet includes the proposed settings, our scanner declares that the target is potentially vulnerable to SMBGhost.
Here’s a sample report of a SMBGhost scan:
3. Secure your Windows hosts with this update
Microsoft already released a security patch for the vulnerability discovered in the SMBv3 protocol, known as KB4551762, in an update for Windows 10, version 1909, and Windows 10, version 1903. We recommend applying these software updates as soon as possible!
In a security advisory, the company also offers some workaround solutions to disable SMBv3 compression or block TCP port 445.
4. Discover vulnerable Windows hosts with the SMBGhost scanner
We created this scanner to help you easily scan Windows hosts and detect this RCE vulnerability. Whether you’re a sysadmin or a security consultant, you can use this scanner to perform easy security tests and detect if your Windows machines are impacted by the SMBGhost vulnerability.