Saturday, December 2, 2023

SMBleed – Windows SMB Protocol Bug Let Hackers Leak Kernel Memory & Execute a Code Remotely

Researchers uncovered a critical bug names as “SMBleed” in the Microsoft Server Message Block (SMB) network communication protocol.

This security flaw was named as SMBleed and identified as CVE-2020-1206; this vulnerability could easily enable the attackers to drip all the confidential data from the kernel memory remotely.

Combined this kind of vulnerability with the previous bug that is a wormable, then the flaw can be easily utilized to perform several remote code execution attacks.

But, apart from this, recently, a dispute has been detected in the SMB’s decompression function, it’s SMBGhost (CVE-2020-0796), that was disclosed three months ago, and this sought of vulnerability can open vulnerable Windows systems to malware attacks that can carry out its operation across networks.

According to the Zeccops report, it is due to the fact that the decompression function “Srv2DecompressData” in the SMB protocol that is capable of processing specially crafted message requests (for example, SMB2 WRITE) sent to SMBv3 destination server. Thus, an attacker can easily read data in the kernel memory and make changes to the compression function.

This vulnerability affects the Windows 10 versions of 1903 and 1909, and Microsoft has also recently published the security patches as well.

They announced just last week that they are forcing the users of Windows 10 so that they can update their devices after exploiting code for SMBGhost bug that was advertised online recently.

Basic Exploitation

Well, this whole vulnerability deals with SMB messages, and these messages primarily include fields like the number of bytes to address and flags, and thus it accompanied by a variable-length buffer. By crafting this, the messages become quite easy, so this is a perfect tool for exposition.

But there are some variable that contains uninitialized data, and therefore, we put different addition to the compression function that is based on our POC on Microsoft’s WindowsProtocolTestSuites repository.

By adding this will not be sufficient, as POC needs different credentials and a writable share, that are easily accessible in many situations. Still, the bug refers to every sought of the message so that it can get utilized remotely for any authentication. 

More importantly, the memory that has leaked is generally related to the earlier allocation in the NonPagedPoolNx pool, as we can manage the allocation size, which implies that the leaked data may come into our control to some extent.


The cybersecurity experts have recommended that both home and business users should install the latest version Windows, as this vulnerability are found in Windows 10 version 1909 and 1903, as we told earlier. 

But there are some situations where the Patch is not applicable, thus at that time, users should simply block the port 445 to stop any parallel movement and remote exploitation on their vulnerable system.


  • Initially, while observing the SMBGhost, the security experts discovered yet another vulnerability that is SMBleed.
  • This vulnerability focuses on revealing the Kernel memory remotely.
  • SMBleed enables the production of pre-auth Remote Code Execution (RCE) if it gets combined with the SMBGhost.
  • There are two main links, POC #1: SMBleed remote kernel memory read, and the POC #2: Pre-Auth RCE Combining SMBleed with SMBGhost.

Affected Windows versions

Here are the Windows versions that are affected by this security flaw with the applicable updates installed:-

Windows 10 Version 2004

KB4557957Not VulnerableNot Vulnerable
Before KB4557957Not VulnerableVulnerable

Windows 10 Version 1909

KB4560960Not VulnerableNot Vulnerable
KB4551762Not VulnerableVulnerable
Before KB4551762VulnerableVulnerable

Windows 10 Version 1903

UpdateNull Dereference BugSMBGhostSMBleed
KB4560960FixedNot VulnerableNot Vulnerable
KB4551762FixedNot VulnerableVulnerable
None of the aboveNot FixedVulnerablePotentially vulnerable


  • Update your Windows to the latest version, as this will fix the issue altogether.
  • Block the port 445 to stop any parallel movement.
  • Isolate the host.
  • Disable the SMB 3.1.1 compression, but you should note that the security experts do not recommend it.

Apart from all these things, if an unauthorized attacker wants to exploit this vulnerability, then the attacker must have to configure a malicious SMBv3 server and convince the user to connect to it.

The security experts have already reported their findings to Microsoft, and the company has already released the patches to fix this vulnerability.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity & hacking updates.


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles