Thursday, March 28, 2024

SMBleed – Windows SMB Protocol Bug Let Hackers Leak Kernel Memory & Execute a Code Remotely

Researchers uncovered a critical bug names as “SMBleed” in the Microsoft Server Message Block (SMB) network communication protocol.

This security flaw was named as SMBleed and identified as CVE-2020-1206; this vulnerability could easily enable the attackers to drip all the confidential data from the kernel memory remotely.

Combined this kind of vulnerability with the previous bug that is a wormable, then the flaw can be easily utilized to perform several remote code execution attacks.

But, apart from this, recently, a dispute has been detected in the SMB’s decompression function, it’s SMBGhost (CVE-2020-0796), that was disclosed three months ago, and this sought of vulnerability can open vulnerable Windows systems to malware attacks that can carry out its operation across networks.

According to the Zeccops report, it is due to the fact that the decompression function “Srv2DecompressData” in the SMB protocol that is capable of processing specially crafted message requests (for example, SMB2 WRITE) sent to SMBv3 destination server. Thus, an attacker can easily read data in the kernel memory and make changes to the compression function.

This vulnerability affects the Windows 10 versions of 1903 and 1909, and Microsoft has also recently published the security patches as well.

They announced just last week that they are forcing the users of Windows 10 so that they can update their devices after exploiting code for SMBGhost bug that was advertised online recently.

Basic Exploitation

Well, this whole vulnerability deals with SMB messages, and these messages primarily include fields like the number of bytes to address and flags, and thus it accompanied by a variable-length buffer. By crafting this, the messages become quite easy, so this is a perfect tool for exposition.

But there are some variable that contains uninitialized data, and therefore, we put different addition to the compression function that is based on our POC on Microsoft’s WindowsProtocolTestSuites repository.

By adding this will not be sufficient, as POC needs different credentials and a writable share, that are easily accessible in many situations. Still, the bug refers to every sought of the message so that it can get utilized remotely for any authentication. 

More importantly, the memory that has leaked is generally related to the earlier allocation in the NonPagedPoolNx pool, as we can manage the allocation size, which implies that the leaked data may come into our control to some extent.

SMBleed

The cybersecurity experts have recommended that both home and business users should install the latest version Windows, as this vulnerability are found in Windows 10 version 1909 and 1903, as we told earlier. 

But there are some situations where the Patch is not applicable, thus at that time, users should simply block the port 445 to stop any parallel movement and remote exploitation on their vulnerable system.

TL;DR

  • Initially, while observing the SMBGhost, the security experts discovered yet another vulnerability that is SMBleed.
  • This vulnerability focuses on revealing the Kernel memory remotely.
  • SMBleed enables the production of pre-auth Remote Code Execution (RCE) if it gets combined with the SMBGhost.
  • There are two main links, POC #1: SMBleed remote kernel memory read, and the POC #2: Pre-Auth RCE Combining SMBleed with SMBGhost.

Affected Windows versions

Here are the Windows versions that are affected by this security flaw with the applicable updates installed:-

Windows 10 Version 2004

UpdateSMBGhostSMBleed
KB4557957Not VulnerableNot Vulnerable
Before KB4557957Not VulnerableVulnerable

Windows 10 Version 1909

UpdateSMBGhostSMBleed
KB4560960Not VulnerableNot Vulnerable
KB4551762Not VulnerableVulnerable
Before KB4551762VulnerableVulnerable

Windows 10 Version 1903

UpdateNull Dereference BugSMBGhostSMBleed
KB4560960FixedNot VulnerableNot Vulnerable
KB4551762FixedNot VulnerableVulnerable
KB4512941FixedVulnerableVulnerable
None of the aboveNot FixedVulnerablePotentially vulnerable

Mitigation

  • Update your Windows to the latest version, as this will fix the issue altogether.
  • Block the port 445 to stop any parallel movement.
  • Isolate the host.
  • Disable the SMB 3.1.1 compression, but you should note that the security experts do not recommend it.

Apart from all these things, if an unauthorized attacker wants to exploit this vulnerability, then the attacker must have to configure a malicious SMBv3 server and convince the user to connect to it.

The security experts have already reported their findings to Microsoft, and the company has already released the patches to fix this vulnerability.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity & hacking updates.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles