SMBleed – Windows SMB Protocol Bug Let Hackers Leak Kernel Memory & Execute a Code Remotely

Researchers uncovered a critical bug names as “SMBleed” in the Microsoft Server Message Block (SMB) network communication protocol.

This security flaw was named as SMBleed and identified as CVE-2020-1206; this vulnerability could easily enable the attackers to drip all the confidential data from the kernel memory remotely.

Combined this kind of vulnerability with the previous bug that is a wormable, then the flaw can be easily utilized to perform several remote code execution attacks.

But, apart from this, recently, a dispute has been detected in the SMB’s decompression function, it’s SMBGhost (CVE-2020-0796), that was disclosed three months ago, and this sought of vulnerability can open vulnerable Windows systems to malware attacks that can carry out its operation across networks.

According to the Zeccops report, it is due to the fact that the decompression function “Srv2DecompressData” in the SMB protocol that is capable of processing specially crafted message requests (for example, SMB2 WRITE) sent to SMBv3 destination server. Thus, an attacker can easily read data in the kernel memory and make changes to the compression function.

This vulnerability affects the Windows 10 versions of 1903 and 1909, and Microsoft has also recently published the security patches as well.

They announced just last week that they are forcing the users of Windows 10 so that they can update their devices after exploiting code for SMBGhost bug that was advertised online recently.

Basic Exploitation

Well, this whole vulnerability deals with SMB messages, and these messages primarily include fields like the number of bytes to address and flags, and thus it accompanied by a variable-length buffer. By crafting this, the messages become quite easy, so this is a perfect tool for exposition.

But there are some variable that contains uninitialized data, and therefore, we put different addition to the compression function that is based on our POC on Microsoft’s WindowsProtocolTestSuites repository.

By adding this will not be sufficient, as POC needs different credentials and a writable share, that are easily accessible in many situations. Still, the bug refers to every sought of the message so that it can get utilized remotely for any authentication. 

More importantly, the memory that has leaked is generally related to the earlier allocation in the NonPagedPoolNx pool, as we can manage the allocation size, which implies that the leaked data may come into our control to some extent.

The cybersecurity experts have recommended that both home and business users should install the latest version Windows, as this vulnerability are found in Windows 10 version 1909 and 1903, as we told earlier. 

But there are some situations where the Patch is not applicable, thus at that time, users should simply block the port 445 to stop any parallel movement and remote exploitation on their vulnerable system.

TL;DR

• Initially, while observing the SMBGhost, the security experts discovered yet another vulnerability that is SMBleed.
• This vulnerability focuses on revealing the Kernel memory remotely.
• SMBleed enables the production of pre-auth Remote Code Execution (RCE) if it gets combined with the SMBGhost.
• There are two main links, POC #1: SMBleed remote kernel memory read, and the POC #2: Pre-Auth RCE Combining SMBleed with SMBGhost.

Affected Windows versions

Here are the Windows versions that are affected by this security flaw with the applicable updates installed:-

Windows 10 Version 2004

Update	SMBGhost	SMBleed
KB4557957	Not Vulnerable	Not Vulnerable
Before KB4557957	Not Vulnerable	Vulnerable

Windows 10 Version 1909

Update	SMBGhost	SMBleed
KB4560960	Not Vulnerable	Not Vulnerable
KB4551762	Not Vulnerable	Vulnerable
Before KB4551762	Vulnerable	Vulnerable

Windows 10 Version 1903

Update	Null Dereference Bug	SMBGhost	SMBleed
KB4560960	Fixed	Not Vulnerable	Not Vulnerable
KB4551762	Fixed	Not Vulnerable	Vulnerable
KB4512941	Fixed	Vulnerable	Vulnerable
None of the above	Not Fixed	Vulnerable	Potentially vulnerable

Mitigation

• Update your Windows to the latest version, as this will fix the issue altogether.
• Block the port 445 to stop any parallel movement.
• Isolate the host.
• Disable the SMB 3.1.1 compression, but you should note that the security experts do not recommend it.

Apart from all these things, if an unauthorized attacker wants to exploit this vulnerability, then the attacker must have to configure a malicious SMBv3 server and convince the user to connect to it.

The security experts have already reported their findings to Microsoft, and the company has already released the patches to fix this vulnerability.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity & hacking updates.