Introduction

SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files. It allows computers connected to the same network or domain to access files from other local computers.SMB also allows computers to share files, but it also enables computers to share printers and even serial ports from other computers within the network.

The flaw is assigned as CVE-2020-0796. The vulnerability is a Remote code execution vulnerability based on certain request handled by Microsoft Message Block 3.1.1. This provides the attacker ability to execute code on the target SMB Server and any client connected to the vulnerable server.


System’s that are affected from the exploit:

Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)

Testing the exploit: 

We have created a python script to scan a single ip address or /24 subnets to identify vulnerable systems. You can download the script from our github link as follows. 


Usage:

Scan single IP 

sve0796.py --ip <192.168.2.1>

Scan a subnet

sve0796.py --subnet <192.168.2.0/24> 


Prevention from the exploit:

  1. You can download the patch from the website available from Microsoft: KB4551762
  2. Block TCP port 445 at the enterprise perimeter firewall.
  3. You can disable the SMBv3 compression using the PowerShell command provided below
  “Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" 
DisableCompression -Type DWORD -Value 1 –Force”