A security researcher has published a PoC RCE exploit for SMBGhost (CVE-2020-0796), a wormable flaw that affects SMBv3 on Windows 10 and some Windows Server versions.
The PoC exploit is unreliable, but could be used by malicious attackers as a starting point for creating a more effective exploit.
About SMBGhost (CVE-2020-0796)
The existence of the flaw was inadvertently revealed in early March 2020 and Microsoft released patches soon after.
The vulnerability could be exploited to gain the ability to execute code on the target SMB Server or SMB Client. In the former case, by sending a specially crafted packet to a targeted SMBv3 Server. In the latter, by configuring a malicious SMBv3 Server and convincing a user to connect to it.
It can also be exploited by attackers that have already gained access to a target machine to give themselves SYSTEM privileges on it.
Security updates with fixes have been provided for Windows 10 (versions 1903 and 1909) and Windows Server (1903 and 1909 – Server Core installation).
If security updates can’t be implemented or until they can be, admins can disable SMBv3 compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server.
They can also block TCP port 445 at the enterprise perimeter firewall so that attackers can’t reach the affected component, and prevent SMB traffic from lateral connections and entering or leaving the network (to prevent attacks mounted from within the enterprise perimeter).
SMBGhost PoC exploits
SMBGhost has the potential to fuel attacks like the ones that brought us WannaCry and NotPetya, though more limited since those exploited a vulnerability in SMBv1 (and consequently also affected older Windows versions) and SMBGhost is found in SMBv3 (and affects only newer Windows versions).
Also, the WannaCry and NotPetya attackers were able to use existing and public exploits (EternalBlue, EternalRomance) to trigger those vulnerabilities.
Some security companies and researchers have created limited PoC exploits for SMBGhost, but have refrained from publishing them until the security updates fixing the flaw are more widely deployed.
Some attackers have been exploiting the flaw for local privilege escalation, but there is no indication that the flaw is being exploited for achieving remote code execution.
As noted before, though the PoC released by the security researcher that goes by the handle “chompie” demonstrably works , it does not work every time.
Persistent attackers might successfully leverage it given enough time and repeated effort, though. Those more knowledgeable might even find a way to modify it and improve its effectiveness.
But they can also wait for security companies to release a reliable PoC RCE exploit. ZecOps, for example, have announced they will release it following the next Windows update.
All in all, if you haven’t yet fixed SBMGhost on your systems, now is high time to do it.