Experts demonstrate exploit for SMBGhost RCE vulnerability

In March 2020, was published information about the problem CVE-2020-0796, which is also called SMBGhost. It affects SMBv3, and almost all Windows systems were vulnerable to the bug. Now experts have demonstrated an exploit for SMBGhost RCE vulnerability.

According to Fortinet, the vulnerability is a buffer overflow on Microsoft SMB servers.

“The problem manifests itself when the vulnerable software processes a malicious packet of compressed data. A remote and unauthenticated attacker can use this to execute arbitrary code in the application context”, – said Fortinet researchers.

Cisco Talos experts warned that “exploiting the vulnerability opens systems for attacks with worm potential.”

Although emergency patches for CVE-2020-0796 were released back in March of this year, researchers are still concerned about this problem.

“The fact is that not everyone took care of installing patches in a timely manner, as usual, and more recently, you can find about 48,000 hosts with open SMB ports on the Internet that are vulnerable to potential attacks with a new bug”, – said Kryptos Logic experts.

Even worse, in early April, were already published the first PoC exploits for SMBGhost, which help to achieve denial of service (DoS) and local privilege escalation. PoC for remote code execution was not published because of its danger.

Now, an RCE exploit for vulnerability was developed and introduced by an expert from Ricerca Security. The researcher not only demonstrated the work of a potentially dangerous exploit on video and shared it with the Bleeping Computer magazine, but also published its detailed description.

So far, Ricerca Security has not published the source of the exploit in the public domain, as experts are afraid to put such a dangerous tool in the hands of criminals. As a result, now PoC is available exclusively for the company’s customers, but it is unlikely to last for a long time.

Users again are urged to install updates fixing the CVE-2020-0796 problem as soon as possible, and if this is impossible for some reason, you need to disable SMBv3 compression and also block TCP port 445, according to Microsoft recommendations.