In March 2020, information was published about the problem CVE-2020-0796, which is also called SMBGhost, CoronaBlue, NexternalBlue and BluesDay. The problem affects SMBv3, and Windows 10 1903, Windows 10 1909, Windows Server 1903, and Windows Server 1909 were vulnerable to the bug. Let me remind you that the SMB protocol was used several years ago to distribute WannaCry and NotPetya around the world.
According to Fortinet, the vulnerability is a buffer overflow on Microsoft SMB servers. The problem manifests itself when the vulnerable software processes a malicious packet of compressed data. That is, a remote and unauthenticated attacker can use a bug to execute arbitrary code in the application context. Back in March, Cisco Talos experts warned that "exploiting the vulnerability opens up systems for attacks with worm potential."
And although emergency patches for fixing CVE-2020-0796 were released in March of this year, information security specialists were still very concerned about this problem. The fact is that not everyone attended to the timely installation of corrections, as usual, and according to Kryptos Logic, more recently, you can find on the Internet about 48,000 hosts open SMB ports that are vulnerable to potential attacks using SMBGhost.
Fortunately, until recently, there were no public RCE exploits for this vulnerability. So, in early April, the first PoC exploits were published, but they only helped to achieve denial of service (DoS) and local privilege escalation (LPE). These exploits are currently used in real attacks (for example, the Ave Maria malware applies them to increase privileges), but by the degree of danger they are far from RCE.
An RCE exploit for SMBGhost also existed, it just didn’t appear in the public domain. So, in April 2020, it was created and demonstrated by an expert from the company Ricerca Security: the researcher showed the operation of the exploit in the video and published its detailed description. However, then Ricerca Security did not publish the source of the exploit in the public domain, as experts were afraid to put such a dangerous tool in the hands of criminals.
Now, almost three months after Microsoft released the patches, Bleeping Computer reports that the information security specialist known as Chompie1337, posted on github The first publicly available version of an RCE exploit for CVE-2020-0796.
The fact is that the specialists of the information security company ZecOps also announced the creation of an RCE exploit in April, and promised Unveil it after the next Windows update. Chompie1337 believes that this should happen in the coming days, so she decided to put her development in the public domain.
So far, the exploit code cannot be called completely stable, and the researcher says that it is more likely to help others expand their knowledge in the field of reverse engineering, as well as "it was written quickly and needs more work to become more reliable." The best exploit is against Windows 10 1903.
“Sometimes BSODs are possible. Using this (exploit) for any purpose other than self-educational is a very bad idea. Your computer will light up. Puppies will die, ”writes Chompie1337.
CERT / CC analyst Will Dormann already checked the researcher’s code on a computer running Windows 10 1909 and received conflicting results. So, sometimes an exploit can lead to a crash of the test system, and sometimes it just doesn’t work.
– Will Dormann (@wdormann) June 5, 2020
At the same time, Dormann notes that from the point of view of the attacker, the exploit does not have to be 100% reliable. Failure in this case is nothing more than the threshold of the next attack attempt. If the exploit does not work, nothing prevents the attacker from continuing to try until he achieves the desired effect. Even worse, trained, properly qualified attackers can modify the exploit themselves.