Loading...


SMBGhost Vulnerability Scanner (CVE-2020-0796)

Discover Windows hosts vulnerable to Remote Code Execution due to a bug in the SMB service (aka SMBGhost, CoronaBlue)

Sample Report | Use Cases | Technical Details

Sample Report

Here is a SMBGhost Vulnerability Scanner (CVE-2020-0796) sample report:

  • Shows if target runs SMBv3.1.1 and if it has SMB compression enabled
  • Provides a thorough description of the SMBGhost vulnerability and its risk
  • Includes recommendations for fixing the problem

Download Sample Report

Sample report

SMBGhost Vulnerability Scanner (CVE-2020-0796) - Use Cases

The purpose of this tool is to detect vulnerable Windows 10 and Windows Server machines affected by the SMBGhost vulnerability (CVE-2020-0796). The detection if performed by checking the SMB version of the target host and if the SMB service has compression enabled.

Technical Details


About

SMBGhost (CVE-2020-0796) is caused by a bug in the SMBv3 decompression routines in Windows 10 and Windows Server (versions 1903 and 1909). Due to lack of bounds checking when SMBv3 protocol handles certain requests, some SMB packets can cause a buffer overflow and crash the Windows kernel (producing a Blue Screen of Death - BSOD).

This vulnerability could be further exploited to achieve unauthenticated remote code execution and become "wormable". However, it is believed that a reliable exploit is difficult to create because of multiple protection measures implemented in the Windows kernel (such as KASLR).

According to an in-depth SMBGHost analysis performed by the McAfee team, the vulnerability is located in the SmbCompressDecompress function which is a wrapper over RtlDecompressBufferEx2. This function is called both by the SMBv3 server implementation and SMBv3 client implementation, making them both vulnerable.


Parameters

Parameter Description
Target host The hostname or IP address of the target server
Target port The SMB port to connect to (default: 445)


How it works

The scanner tries to detect if the target server supports SMBv3.1.1 and has compression enabled. While this is not a fully reliable detection method (because patched systems have the same settings enabled), it can be successfully used to detect Windows hosts which are not vulnerable (ex. they don't support SMBv3.1.1 or they have SMBv3 compression disabled).

In order to detect these settings, the tool attempts to initiate a SMB negotiation with the target server, proposing the SMB version 3.1.1 Dialect: 0x0311 and compression enabled NegotiateContextCount: 2. If the SMB response contains these proposed settings, the scanner declares that it may be potentially vulnerable to SMBGhost.

Such a SMB response packet looks like in the image below:
SMB Negotiation Response - SMBGhost

In order to reliably verify if the system is truly patched or vulnerable, there are the following methods:
  • Locally check if the Windows system has the KB4551762 update installed (requires local access)
  • Manually run an exploit against the system which will cause a kernel crash (BSOD). However, it is advised to do that only against a test system. Here is an exploit for SMBGhost.