Categories: CVE/vulnerability

SMBleed – Windows SMB Protocol Bug Let Hackers Leak Kernel Memory & Execute a Code Remotely

Researchers uncovered a critical bug names as “SMBleed” in the Microsoft Server Message Block (SMB) network communication protocol.

This security flaw was named as SMBleed and identified as CVE-2020-1206; this vulnerability could easily enable the attackers to drip all the confidential data from the kernel memory remotely.

Combined this kind of vulnerability with the previous bug that is a wormable, then the flaw can be easily utilized to perform several remote code execution attacks.

But, apart from this, recently, a dispute has been detected in the SMB’s decompression function, it’s SMBGhost (CVE-2020-0796), that was disclosed three months ago, and this sought of vulnerability can open vulnerable Windows systems to malware attacks that can carry out its operation across networks.

According to the Zeccops report, it is due to the fact that the decompression function “Srv2DecompressData” in the SMB protocol that is capable of processing specially crafted message requests (for example, SMB2 WRITE) sent to SMBv3 destination server. Thus, an attacker can easily read data in the kernel memory and make changes to the compression function.

This vulnerability affects the Windows 10 versions of 1903 and 1909, and Microsoft has also recently published the security patches as well.

They announced just last week that they are forcing the users of Windows 10 so that they can update their devices after exploiting code for SMBGhost bug that was advertised online recently.

Basic Exploitation

Well, this whole vulnerability deals with SMB messages, and these messages primarily include fields like the number of bytes to address and flags, and thus it accompanied by a variable-length buffer. By crafting this, the messages become quite easy, so this is a perfect tool for exposition.

But there are some variable that contains uninitialized data, and therefore, we put different addition to the compression function that is based on our POC on Microsoft’s WindowsProtocolTestSuites repository.

By adding this will not be sufficient, as POC needs different credentials and a writable share, that are easily accessible in many situations. Still, the bug refers to every sought of the message so that it can get utilized remotely for any authentication. 

More importantly, the memory that has leaked is generally related to the earlier allocation in the NonPagedPoolNx pool, as we can manage the allocation size, which implies that the leaked data may come into our control to some extent.

The cybersecurity experts have recommended that both home and business users should install the latest version Windows, as this vulnerability are found in Windows 10 version 1909 and 1903, as we told earlier. 

But there are some situations where the Patch is not applicable, thus at that time, users should simply block the port 445 to stop any parallel movement and remote exploitation on their vulnerable system.

TL;DR

  • Initially, while observing the SMBGhost, the security experts discovered yet another vulnerability that is SMBleed.
  • This vulnerability focuses on revealing the Kernel memory remotely.
  • SMBleed enables the production of pre-auth Remote Code Execution (RCE) if it gets combined with the SMBGhost.
  • There are two main links, POC #1: SMBleed remote kernel memory read, and the POC #2: Pre-Auth RCE Combining SMBleed with SMBGhost.

Affected Windows versions

Here are the Windows versions that are affected by this security flaw with the applicable updates installed:-

Windows 10 Version 2004

UpdateSMBGhostSMBleed
KB4557957Not VulnerableNot Vulnerable
Before KB4557957Not VulnerableVulnerable

Windows 10 Version 1909

UpdateSMBGhostSMBleed
KB4560960Not VulnerableNot Vulnerable
KB4551762Not VulnerableVulnerable
Before KB4551762VulnerableVulnerable

Windows 10 Version 1903

UpdateNull Dereference BugSMBGhostSMBleed
KB4560960FixedNot VulnerableNot Vulnerable
KB4551762FixedNot VulnerableVulnerable
KB4512941FixedVulnerableVulnerable
None of the aboveNot FixedVulnerablePotentially vulnerable

Mitigation

  • Update your Windows to the latest version, as this will fix the issue altogether.
  • Block the port 445 to stop any parallel movement.
  • Isolate the host.
  • Disable the SMB 3.1.1 compression, but you should note that the security experts do not recommend it.

Apart from all these things, if an unauthorized attacker wants to exploit this vulnerability, then the attacker must have to configure a malicious SMBv3 server and convince the user to connect to it.

The security experts have already reported their findings to Microsoft, and the company has already released the patches to fix this vulnerability.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity & hacking updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Hackers Exploiting California Wildfire Sparks to Launching Phishing Attacks

As California grapples with devastating wildfires, communities are rallying to protect lives and property. Unfortunately,…

14 hours ago

AIRASHI Botnet Exploiting 0-Day Vulnerabilities In Large Scale DDoS Attacks

AISURU botnet launched a DDoS attack targeting Black Myth: Wukong distribution platforms in August 2024…

15 hours ago

New Botnet Exploiting DNS Records Misconfiguration To Deliver Malware

Botnets are the networks of compromised devices that have evolved significantly since the internet's inception.…

15 hours ago

FTC Slams GoDaddy For Not Implement Standard Security Practices Following Major Breaches

The Federal Trade Commission (FTC) has announced that it will require GoDaddy Inc. to develop…

15 hours ago

Thousands of PHP-based Web Applications Exploited to Deploy Malware

A significant cybersecurity threat has emerged, threatening the integrity of thousands of PHP-based web applications.…

16 hours ago

W3 Total Cache Plugin Vulnerability Let Attackers Gain Unauthorized Access to Sensitive Data

A significant security vulnerability has been identified in the W3 Total Cache plugin for WordPress,…

18 hours ago