一、漏洞概述
微软发布安全通告称Microsoft Server Message Block 3.1.1(SMBv3)协议在处理某些请求的方式中存在代码执行漏洞,未经身份验证的攻击者发送精心构造的数据包进行攻击,可在目标SMB服务器上执行任意代码。
发布了影响Windows 10 等系统用户的SMBv3远程代码执行漏洞补丁。
二、影响范围
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
三、漏洞等级
高危
四、漏洞验证
目前暂无POC/EXP,可通过网上公布脚本去自查
Python
import socket import struct import sys pkt = b'\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00' sock = socket.socket(socket.AF_INET) sock.settimeout(3) sock.connect(( sys.argv[1], 445 )) sock.send(pkt) nb, = struct.unpack(">I", sock.recv(4)) res = sock.recv(nb) if not res[68:70] == b"\x11\x03": exit("Not vulnerable.") if not res[70:72] == b"\x02\x00": exit("Not vulnerable.") exit("Vulnerable.")
import socket import struct import sys from netaddr import IPNetwork pkt = b'\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00' subnet = sys.argv[1] for ip in IPNetwork(subnet): sock = socket.socket(socket.AF_INET) sock.settimeout(3) try: sock.connect(( str(ip), 445 )) except: sock.close() continue sock.send(pkt) nb, = struct.unpack(">I", sock.recv(4)) res = sock.recv(nb) if res[68:70] != b"\x11\x03" or res[70:72] != b"\x02\x00": print(f"{ip} Not vulnerable.") else: print(f"{ip} Vulnerable")
Nmap
local smb = require "smb" local nmap = require "nmap" local vulns = require "vulns" description = [[ Microsoft SMBv3 contains a vulnerability in the handling of compression, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Microsoft Server Message Block 3.1.1 (SMBv3) contains a vulnerability in the way that it handles connections that use compression. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. It has been reported that this vulnerability is "wormable." By connecting to a vulnerable Windows machine using SMBv3, or by causing a vulnerable Windows system to initiate a client connection to a SMBv3 server, a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. we're wating ]] author = "Hossam Mohamed" license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"safe", "discovery"} hostrule = function(host) return smb.get_port(host) ~= nil end action = function(host,port) local status, supported_dialects, overrides overrides = {} status, supported_dialects = smb.list_dialects(host, overrides) local vuln_status, err local vuln = { title = "Microsoft SMBv3 compression remote code execution vulnerability", IDS = {CVE = 'CVE-2020-0796'}, risk_factor = "HIGH", description = [[ Microsoft SMBv3 contains a vulnerability in the handling of compression, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. ]], references = { 'https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005' }, dates = { disclosure = {year = '2020', month = '03', day = '11'}, } } local report = vulns.Report:new(SCRIPT_NAME, host, port) vuln.state = vulns.STATE.NOT_VULN if status then for i, v in pairs(supported_dialects) do -- Mark SMBv1 as insecure if v == "3.11" then vuln.state = vulns.STATE.VULN end end end return report:make_output(vuln) end
Powershell
<# .SYNOPSIS Checks your SMBv3 Compression setting as mitigation for CVE-2020-0796, also known as SMBGhost. .DESCRIPTION This Powershell Script determines whether SMBv3 Compression is enabled or not. As mitigation on the CVE-2020-0796, the SMBv3 compression should be disabled. This script can disable SMBv3 for you automatically. Script is also checking if the CVE-2020-0976 is applicable to your Windows version and whether the Windows Update KB4551762 is installed or not. .EXAMPLE PS C:\> .\CVE-2020-0796-Smbv3-checker.ps1 .NOTES Created by: T13nn3s Date: 11-03-2020 Check my blog: https://binsec.nl Last update: 13-03-2020 #> If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { $arguments = "& '" + $myinvocation.mycommand.definition + "'" Start-Process powershell -Verb runAs -ArgumentList $arguments Break } function CheckWindowsVersion { Write-Host "[*] Checking Windows Version..." $WindowsVersion = Get-ComputerInfo | Select-Object -ExpandProperty WindowsVersion Write-Host "[*] Windows version $WindowsVersion found." if ($WindowsVersion -eq 1903) { Write-Host "[*] CVE-2020-0976 is applicable to your Windows Version." } Elseif ($WindowsVersion -eq 1909) { Write-Host "[*] CVE-2020-0976 is applicable to your Windows Version." } Else { Write-Host "[+] CVE-2020-0976 is not applicable to your Windows Version." -ForegroundColor Green pause return } } # End function CheckWindowsVersion function CheckIfWindowsIsCore { [string]$regkey = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion" Write-Host "[*] Checking if you're running Windows is Server Core" $installtype = (Get-ItemProperty -Path $regkey -Name "InstallationType").InstallationType if ($installtype -eq "Server") { Write-Host "[*] You running the Desktop Experience from Windows Server. CVE-2020-0976 isn't applicable for this version of Windows Server." } Elseif ($installtype -eq "Client") { Write-Host "[*] You running the Desktop Experience from Windows Server. CVE-2020-0976 isn't applicable for this version of Windows Server." } Elseif ($installtype -eq "Server Core") { Write-Host "[*] You running the Server Core from Windows Server." } } # End CheckIfWindowsIsCore function function CheckIfUpdateIsInstalled { Write-Host "[*] Check if KB4551762 is installed..." $fix = Get-HotFix -Id KB4551762 -ErrorAction SilentlyContinue if ($fix) { Write-Host "[+] *** Windows Update $($fix.HotFixID) is installed on $($fix.InstalledOn). You're not vulnerable ***" Write-Host "[+] No workaround needed, you can still customize the SMBv3 compression if you like." return } Else { Write-Host "[-] Windows Update $($kb) is not installed." } } # End function CheckIfUpdateIsInstalled function Get-Menu { param ( [string]$title = "Workaround for CVE-2020-0796 (CoronaBlue)" ) Write-Host "" Write-Host "================ $title ================" Write-Host "1: Press '1' for check your current SMBv3 Compression setting" Write-Host "2: Press '2' to disable SMBv3 Compression <= This is the mitigation for CVE-2020-0796" Write-Host "3: Press '3' Enable SMBv3 Compression" Write-Host "Q: Press 'Q' to quit." } # End function Get-Menu function CheckRegSmbv3Compression { param ( [string]$reg = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ) $check = Get-ItemProperty -Path $reg -Name "DisableCompression" -ErrorAction SilentlyContinue if ($check -eq $null) { Write-Host "SMBv3 Compression is not configued. SMBv3 Compression is set to enabled by default." Write-Host "You're vulnerable" -f yellow } Elseif ($check.DisableCompression -eq 0) { Write-Host "SMBv3 Compression is set to enabled." } Elseif ($check.DisableCompression -eq 1) { Write-Host "SMBv3 Compression is disabled." } } # End function CheckRegSmbv3Compression function SetkRegSmbv3Compression { param ( [string]$reg = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", [string]$value ) try { Set-ItemProperty -Path $reg DisableCompression -Type DWORD -Value $value -Force } Catch { $err = $_.Exception.Message Write-Error $err } CheckRegSmbv3Compression } #End function SetRegSmbv3Compression CheckWindowsVersion CheckIfUpdateIsInstalled Do { Get-Menu $input = Read-Host "Please make a selection" switch ($input) { '1' { Write-Host 'You chose option #1' CheckRegSmbv3Compression } '2' { Write-Host 'You chose option #2' SetkRegSmbv3Compression -value 1 } '3' { Write-Host 'You chose option #3' SetkRegSmbv3Compression -value 0 } 'Q' { return } } pause } until ($input -eq 'q')
五、解决方法
以下变通办法可能会在您遇到的情况中有所帮助。在所有情况下,Microsoft强烈建议您立即安装此漏洞的更新,即使您计划保留此变通办法,也应尽快安装:
禁用SMBv3压缩
您可以使用以下PowerShell命令禁用压缩功能,以阻止未经身份验证的攻击者利用SMBv3服务器的漏洞。
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Lanman
Server\Parameters" DisableCompression -Type DWORD -Value 1 -Force
笔记:
- 进行更改后,无需重新启动。
- 此解决方法不能防止利用SMB客户端。请参阅常见问题解答下的第2项,以保护客户。
- Windows或Windows Server尚未使用SMB压缩,并且禁用SMB压缩不会对性能产生负面影响。
您可以使用下面的PowerShell命令禁用解决方法。
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanS
erver\Parameters" DisableCompression -Type DWORD -Value 0 -Force
注意: 禁用替代方法后,无需重新启动。
相关页面:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
