Researchers Daniel García Gutiérrez (@danigargu) and Manuel Blanco Parajón (@dialluvioso_) have published proof-of-concept (PoC) exploits for the CVE-2020-0796 Windows vulnerability, tracked as SMBGhost, that can be exploited by attackers for local privilege escalation.
On March 10, 2019, the IT giant accidentally leaked info on a security update for a wormable vulnerability in the Microsoft Server Message Block (SMB) protocol.
The issue is a pre-remote code execution flaw that resides in the Server Message Block 3.0 (SMBv3) network communication protocol.
Technical details of the CVE-2020-0796 vulnerability have been disclosed, but security firms Cisco Talos and Fortinet published a description of the issue on their websites.
The vulnerability is caused by an error in the way SMBv3 handles maliciously crafted compressed data packets, a remote, unauthenticated attacker could exploit the flaw to execute arbitrary code within the context of the application.
The CVE-2020-0796 vulnerability affects devices running Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation). According to Fortinet other Microsoft versions should be affected.
Microsoft released the KB4551762 update for Windows 10, versions 1903 and 1909, and Windows Server 2019, versions 1903 and 1909.
Immediately after the disclosure of the flaw, security experts created PoC exploits to trigger DoS condition, but now cybersecurity firm ZecOps published technical details of the flaw and released a PoC for remote code execution. The PoC exploits could be exploited to escalate privileges to SYSTEM.
“The bug is an integer overflow bug that happens in the Srv2DecompressData function in the srv2.sys SMB server driver.” wrote the experts. “We managed to demonstrate that the CVE-2020-0796 vulnerability can be exploited for local privilege escalation. Note that our exploit is limited for medium integrity level, since it relies on API calls that are unavailable in a lower integrity level.”