关联漏洞
标题:
微软 Microsoft SMBv3 缓冲区错误漏洞
(CVE-2020-0796)
描述:Microsoft SMBv3是美国微软(Microsoft)公司的一个为设备提供SMB功能的支持固件。 Microsoft Server Message Block 3.1.1 (SMBv3)版本中存在缓冲区错误漏洞,该漏洞源于SMBv3协议在处理恶意压缩数据包时,进入了错误流程。远程未经身份验证的攻击者可利用该漏洞在应用程序中执行任意代码。以下产品及版本受到影响:Microsoft Windows 10版本1903,Windows Server版本1903,Windows 10版本1909,Windo
描述
CVE-2020-0796 SMB Ghost vulnerability detection and mitigation
介绍
# CVE-2020-0796 SMB Ghost vulnerability detection and mitigation
This repository documents my practice of detecting and mitigating the SMB Ghost vulnerability, also known as CVE-2020-0796. This vulnerability affects Microsoft Server Message Block 3.1.1 (SMBv3) and can allow attackers to execute arbitrary code with system privileges or launch denial-of-service attacks.
## Tools and Environment
The practice was conducted on the following tools and environment:
* Windows 10 version 1903 (target machine)
* Kali Linux (attacker machine)
* Nmap (network mapper tool)
* Wireshark (packet sniffer tool)
* Windows Firewall Defender
* GitHub repository from https://github.com/chompie1337 (exploit code)
## Detection Method
Several methods were used to detect the CVE-2020-0796 vulnerability:
* Checking the Windows version by typing winver at the command prompt or in the system settings.
* Using Nmap to scan a range of IP addresses and detect the OS and services running, including SMB version and port 445 status.
* Using Wireshark to sniff an SMB transmission and capture packets sent by the exploit code from the attacker machine to the target machine.
* Enabling Windows Firewall logging to monitor TCP and UDP connections and dropped packets.
## Mitigation Method
As no upgrade or patch is available in the short term, a mitigation method was used to disable SMBv3 compression using PowerShell command to prevent unknown attackers from exploiting SMBv3 vulnerabilities.
```Set-ItemProperty-Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force```
### or
use windows defender firewall approaches to block all inbound SMB traffic to prevent remote connections from malicious devices (Microsoft, n.d.).
## References
* Microsoft Security Response Center. (2020, March 12). CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0796
* TrustedSec. (2020, March 15). SMBGhost: Detection and Mitigation. https://www.trustedsec.com/blog/smbghost-detection-and-mitigation/
* Saigal, S. (2017, August 8). Monitoring Firewall Logs in Windows. https://www.manageengine.com/products/eventlog/help/firewall-monitoring/monitor-firewall-logs-windows.html
## Notes
more detail with screen shot in the docx file
文件快照
[4.0K] /data/pocs/6c77ff3e968eea106981c94d4e9f853789c95492
├── [1.6M] project implement Report.docx
└── [2.4K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。