Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote) - Nessus

Critical   Plugin ID: 134421

This page contains detailed information about the Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 134421
Name: Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)
Filename: smb_microsoft_windows_adv200005_remote.nasl
Vulnerability Published: 2020-03-12
This Plugin Published: 2020-03-11
Last Modification Time: 2022-02-11
Plugin Version: 1.8
Plugin Type: remote
Plugin Family: Windows
Dependencies: smb_dialects_enabled.nasl
Required KB Items [?]: Settings/ParanoidReport, SMB/smb_dialect/3.1.1

Vulnerability Information

Severity: Critical
Vulnerability Published: 2020-03-12
Patch Published: 2020-03-12
CVE [?]: CVE-2020-0796
CPE [?]: cpe:/o:microsoft:windows
Exploited by Malware: True

Synopsis

The remote Windows host is using a vulnerable version of SMB.

Description

A remote code execution vulnerability exists in Microsoft Server Message Block 3.1.1 (SMBv3) protocol due to how it handles a maliciously crafted compressed data packet. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.

Note, the plugin checks if SMB 3.1.1 with compression is enabled. It does not currently verify the vulnerability itself.

Solution

Microsoft has provided additional details and guidance in the ADV200005 advisory.

Public Exploits

Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote) vulnerability:

  1. Metasploit: exploit/windows/local/cve_2020_0796_smbghost
    [SMBv3 Compression Buffer Overflow]
  2. Metasploit: exploit/windows/smb/cve_2020_0796_smbghost
    [SMBv3 Compression Buffer Overflow]
  3. Exploit-DB: exploits/windows/dos/48216.md
    [EDB-48216: Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)]
  4. Exploit-DB: exploits/windows/local/48267.txt
    [EDB-48267: Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation]
  5. Exploit-DB: exploits/windows/remote/48537.py
    [EDB-48537: Microsoft Windows - 'SMBGhost' Remote Code Execution]
  6. GitHub: https://github.com/0xpetros/windows-privilage-escalation
    [CVE-2020-0796]
  7. GitHub: https://github.com/1stPeak/CVE-2020-0796-Scanner
    [CVE-2020-0796]
  8. GitHub: https://github.com/3gstudent/Homework-of-Python
    [CVE-2020-0796]
  9. GitHub: https://github.com/5l1v3r1/CVE-2020-0796-PoC-3
    [CVE-2020-0796: CVE-2020-0796 - a wormable SMBv3 vulnerability.]
  10. GitHub: https://github.com/5l1v3r1/cve-2020-0802
    [CVE-2020-0796]
  11. GitHub: https://github.com/2522595153/text
    [CVE-2020-0796]
  12. GitHub: https://github.com/ASkyeye/RAGINGBULL
    [CVE-2020-0796]
  13. GitHub: https://github.com/AaronWilsonGrylls/CVE-2020-0796-POC
    [CVE-2020-0796: CVE-2020-0796-POC]
  14. GitHub: https://github.com/Al1ex/WindowsElevation
    [CVE-2020-0796]
  15. GitHub: https://github.com/Anonimo501/SMBGhost_CVE-2020-0796_checker
    [CVE-2020-0796]
  16. GitHub: https://github.com/Ascotbe/Kernelhub
    [CVE-2020-0796]
  17. GitHub: https://github.com/Astrogeorgeonethree/Starred
    [CVE-2020-0796]
  18. GitHub: https://github.com/BOFs/365CS
    [CVE-2020-0796]
  19. GitHub: https://github.com/BOFs/CobaltStrike
    [CVE-2020-0796]
  20. GitHub: https://github.com/CYJoe-Cyclone/Awesome-CobaltStrike
    [CVE-2020-0796]
  21. GitHub: https://github.com/CyberMonitor/somethingweneed
    [CVE-2020-0796]
  22. GitHub: https://github.com/DreamoneOnly/CVE-2020-0796-LPE
    [CVE-2020-0796]
  23. GitHub: https://github.com/EncodeGroup/BOF-RegSave
    [CVE-2020-0796]
  24. GitHub: https://github.com/F6JO/CVE-2020-0796-Batch-scanning
    [CVE-2020-0796: 批量扫描CVE-2020-0796]
  25. GitHub: https://github.com/FULLSHADE/WindowsExploitationResources
    [CVE-2020-0796]
  26. GitHub: https://github.com/GuoKerS/Some_Script
    [CVE-2020-0796]
  27. GitHub: https://github.com/HackOvert/awesome-bugs
    [CVE-2020-0796]
  28. GitHub: https://github.com/Haruster/Apasys-CVE-2020-0796
    [CVE-2020-0796: MS CVE 2020-0796 SMB]
  29. GitHub: https://github.com/IFccTeR/1_UP_files
    [CVE-2020-0796]
  30. GitHub: https://github.com/Jkrasher/WindowsThreatResearch_JKrasher
    [CVE-2020-0796]
  31. GitHub: https://github.com/Ken-Abruzzi/cve_2020_0796
    [CVE-2020-0796]
  32. GitHub: https://github.com/Kinesys/Kinesys-CVE-2020-0796
    [CVE-2020-0796: MS CVE 2020-0796 SMB]
  33. GitHub: https://github.com/Loveforkeeps/Lemon-Duck
    [CVE-2020-0796]
  34. GitHub: https://github.com/MasterSploit/LPE---CVE-2020-0796
    [CVE-2020-0796]
  35. GitHub: https://github.com/Mr-xn/Penetration_Testing_POC
    [CVE-2020-0796]
  36. GitHub: https://github.com/Murasame-nc/CVE-2020-0796-LPE-POC
    [CVE-2020-0796]
  37. GitHub: https://github.com/NullArray/WinKernel-Resources
    [CVE-2020-0796]
  38. GitHub: https://github.com/Opensitoo/cve-2020-0796
    [CVE-2020-0796]
  39. GitHub: https://github.com/QWERTSKIHACK/Active-Directory-Exploitation-Cheat-Sheet.
    [CVE-2020-0796]
  40. GitHub: https://github.com/Ra7mo0on/SMBGhost
    [CVE-2020-0796]
  41. GitHub: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
    [CVE-2020-0796]
  42. GitHub: https://github.com/S3cur3Th1sSh1t/WinPwn
    [CVE-2020-0796]
  43. GitHub: https://github.com/SecWiki/windows-kernel-exploits
    [CVE-2020-0796]
  44. GitHub: https://github.com/SexyBeast233/SecBooks
    [CVE-2020-0796]
  45. GitHub: https://github.com/TamilHackz/windows-exploitation
    [CVE-2020-0796]
  46. GitHub: https://github.com/WinMin/Protocol-Vul
    [CVE-2020-0796]
  47. GitHub: https://github.com/atdpa4sw0rd/Experience-library
    [CVE-2020-0796]
  48. GitHub: https://github.com/awsassets/CVE-2020-0798
    [CVE-2020-0796]
  49. GitHub: https://github.com/bmphx2/PoC-codes
    [CVE-2020-0796]
  50. GitHub: https://github.com/byteofjoshua/CVE-2020-0796
    [CVE-2020-0796: Remote Code Execution POC for CVE-2020-0796]
  51. GitHub: https://github.com/cepxeo/redteambins
    [CVE-2020-0796]
  52. GitHub: https://github.com/chompie1337/SMBGhost_RCE_PoC
    [CVE-2020-0796]
  53. GitHub: https://github.com/claroty/CVE2020-0796
    [CVE-2020-0796: CVE2020-0796 SMBv3 RCE]
  54. GitHub: https://github.com/datntsec/CVE-2020-0796
    [CVE-2020-0796]
  55. GitHub: https://github.com/ddiako/Vulncheck
    [CVE-2020-0796]
  56. GitHub: https://github.com/demilson/Windows
    [CVE-2020-0796]
  57. GitHub: https://github.com/eastmountyxz/CSDNBlog-Security-Based
    [CVE-2020-0796]
  58. GitHub: https://github.com/eastmountyxz/NetworkSecuritySelf-study
    [CVE-2020-0796]
  59. GitHub: https://github.com/eastmountyxz/SystemSecurity-ReverseAnalysis
    [CVE-2020-0796]
  60. GitHub: https://github.com/ericzhong2010/GUI-Check-CVE-2020-0976
    [CVE-2020-0796]
  61. GitHub: https://github.com/eventsentry/scripts
    [CVE-2020-0796]
  62. GitHub: https://github.com/halsten/CVE-2020-0796
    [CVE-2020-0796]
  63. GitHub: https://github.com/hectorgie/SMBGHOST
    [CVE-2020-0796]
  64. GitHub: https://github.com/hillu/nmap-nse-smb2-enhancement
    [CVE-2020-0796]
  65. GitHub: https://github.com/hlldz/dazzleUP
    [CVE-2020-0796]
  66. GitHub: https://github.com/i0gan/cve
    [CVE-2020-0796]
  67. GitHub: https://github.com/jeansgit/Pentest
    [CVE-2020-0796]
  68. GitHub: https://github.com/jiansiting/CVE-2020-0796
    [CVE-2020-0796]
  69. GitHub: https://github.com/jstigerwalt/SMBGhost
    [CVE-2020-0796]
  70. GitHub: https://github.com/jweny/pocassistdb
    [CVE-2020-0796]
  71. GitHub: https://github.com/k4t3pro/SMBGhost
    [CVE-2020-0796]
  72. GitHub: https://github.com/kernelkill/cve2020-0796
    [CVE-2020-0796]
  73. GitHub: https://github.com/kn6869610/CVE-2020-0796
    [CVE-2020-0796]
  74. GitHub: https://github.com/lawrenceamer/0xsp-Mongoose
    [CVE-2020-0796]
  75. GitHub: https://github.com/lisinan988/CVE-2020-0796-exp
    [CVE-2020-0796]
  76. GitHub: https://github.com/mai-lang-chai/System-Vulnerability
    [CVE-2020-0796]
  77. GitHub: https://github.com/manasmbellani/gocmdscanner
    [CVE-2020-0796]
  78. GitHub: https://github.com/mathisvickie/KMAC
    [CVE-2020-0796]
  79. GitHub: https://github.com/michael101096/cs2020_msels
    [CVE-2020-0796]
  80. GitHub: https://github.com/mishmashclone/SecWiki-windows-kernel-exploits
    [CVE-2020-0796]
  81. GitHub: https://github.com/msuiche/smbaloo
    [CVE-2020-0796]
  82. GitHub: https://github.com/niudaii/go-crack
    [CVE-2020-0796]
  83. GitHub: https://github.com/ollypwn/SMBGhost
    [CVE-2020-0796: Scanner for CVE-2020-0796 - SMBv3 RCE]
  84. GitHub: https://github.com/orangmuda/CVE-2020-0796
    [CVE-2020-0796: Remote Code Execution POC for CVE-2020-0796]
  85. GitHub: https://github.com/oxctdev/CVE-2020-0796
    [CVE-2020-0796: Remote Code Execution POC for CVE-2020-0796]
  86. GitHub: https://github.com/pathakabhi24/Awesome-C
    [CVE-2020-0796]
  87. GitHub: https://github.com/pengusec/awesome-netsec-articles
    [CVE-2020-0796]
  88. GitHub: https://github.com/plorinquer/cve-2020-0796
    [CVE-2020-0796]
  89. GitHub: https://github.com/pwninx/WinPwn
    [CVE-2020-0796]
  90. GitHub: https://github.com/rhpenguin/tshark-filter
    [CVE-2020-0796]
  91. GitHub: https://github.com/root26/bug
    [CVE-2020-0796]
  92. GitHub: https://github.com/rsmudge/CVE-2020-0796-BOF
    [CVE-2020-0796]
  93. GitHub: https://github.com/safesword/WindowsExp
    [CVE-2020-0796]
  94. GitHub: https://github.com/section-c/CVE-2020-0796
    [CVE-2020-0796]
  95. GitHub: https://github.com/shuanx/vulnerability
    [CVE-2020-0796]
  96. GitHub: https://github.com/sung3r/CobaltStrike
    [CVE-2020-0796]
  97. GitHub: https://github.com/syadg123/CVE-2020-0796
    [CVE-2020-0796]
  98. GitHub: https://github.com/syadg123/SMBGhost
    [CVE-2020-0796]
  99. GitHub: https://github.com/t0rt3ll1n0/cms-scanner
    [CVE-2020-0796]
  100. GitHub: https://github.com/testbugonly/Defence
    [CVE-2020-0796]
  101. GitHub: https://github.com/tobor88/PowerShell-Blue-Team
    [CVE-2020-0796]
  102. GitHub: https://github.com/tripledd/cve-2020-0796-vuln
    [CVE-2020-0796]
  103. GitHub: https://github.com/uhub/awesome-c
    [CVE-2020-0796]
  104. GitHub: https://github.com/vsai94/ECE9069_SMBGhost_Exploit_CVE-2020-0796-
    [CVE-2020-0796: Description of Exploit SMBGhost CVE-2020-0796]
  105. GitHub: https://github.com/wenwen104/ipas2020
    [CVE-2020-0796]
  106. GitHub: https://github.com/wrlu/Vulnerabilities
    [CVE-2020-0796]
  107. GitHub: https://github.com/ycdxsb/Exploits
    [CVE-2020-0796]
  108. GitHub: https://github.com/ycdxsb/WindowsPrivilegeEscalation
    [CVE-2020-0796]
  109. GitHub: https://github.com/yisan1/hh
    [CVE-2020-0796]
  110. GitHub: https://github.com/ysyyrps123/CVE-2020-0796
    [CVE-2020-0796]
  111. GitHub: https://github.com/z1un/Z1-AggressorScripts
    [CVE-2020-0796]
  112. GitHub: https://github.com/zathizh/cve-796-mit
    [CVE-2020-0796]
  113. GitHub: https://github.com/zer0yu/Awesome-CobaltStrike
    [CVE-2020-0796]
  114. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/48216.zip
    [EDB-48216]
  115. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/48267.zip
    [EDB-48267]
  116. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/48537.zip
    [EDB-48537]
  117. GitHub: https://github.com/0xeb-bp/cve-2020-0796
    [CVE-2020-0796: CVE-2020-0796 (SMBGhost) LPE]
  118. GitHub: https://github.com/1060275195/SMBGhost
    [CVE-2020-0796: 批量测试CVE-2020-0796 - SMBv3 RCE]
  119. GitHub: https://github.com/5l1v3r1/CVE-2020-0796-PoC-and-Scan
    [CVE-2020-0796: Lightweight PoC and Scanner for CVE-2020-0796 without authentication.]
  120. GitHub: https://github.com/5l1v3r1/smbghost-5
    [CVE-2020-0796: CVE-2020-0796. Smbghost Local Privilege Escalation]
  121. GitHub: https://github.com/5l1v3r1/SMBGhost_Crash_Poc
    [CVE-2020-0796: CVE-2020-0796.SMBGhost_Crash_Poc]
  122. GitHub: https://github.com/Aekras1a/CVE-2020-0796-PoC
    [CVE-2020-0796: Weaponized PoC for SMBv3 TCP codec/compression vulnerability]
  123. GitHub: https://github.com/Almorabea/SMBGhost-LPE-Metasploit-Module
    [CVE-2020-0796: This is an implementation of the CVE-2020-0796 aka SMBGhost vulnerability, ...]
  124. GitHub: https://github.com/Almorabea/SMBGhost-WorkaroundApplier
    [CVE-2020-0796: This script will apply the workaround for the vulnerability CVE-2020-0796 for the ...]
  125. GitHub: https://github.com/awareseven/eternalghosttest
    [CVE-2020-0796: This repository contains a test case for CVE-2020-0796]
  126. GitHub: https://github.com/bacth0san96/SMBGhostScanner
    [CVE-2020-0796: SMBGhost CVE-2020-0796]
  127. GitHub: https://github.com/Barriuso/SMBGhost_AutomateExploitation
    [CVE-2020-0796: SMBGhost (CVE-2020-0796) Automate Exploitation and Detection]
  128. GitHub: https://github.com/BinaryShadow94/SMBv3.1.1-scan---CVE-2020-0796
    [CVE-2020-0796: Little scanner to know if a machine is runnig SMBv3 (possible vulnerability ...]
  129. GitHub: https://github.com/bonesg/CVE-2020-0797
    [CVE-2020-0796: Exploiter la vulnérabilité CVE-2020-0796, Remote Code Execution du protocole SMB ...]
  130. GitHub: https://github.com/ButrintKomoni/cve-2020-0796
    [CVE-2020-0796: Identifying and Mitigating the CVE-2020–0796 flaw in the fly]
  131. GitHub: https://github.com/codewithpradhan/SMBGhost-CVE-2020-0796-
    [CVE-2020-0796: To crash Windows-10 easily]
  132. GitHub: https://github.com/cory-zajicek/CVE-2020-0796-DoS
    [CVE-2020-0796: DoS PoC for CVE-2020-0796 (SMBGhost)]
  133. GitHub: https://github.com/danigargu/CVE-2020-0796
    [CVE-2020-0796: CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhost]
  134. GitHub: https://github.com/Dhoomralochana/Scanners-for-CVE-2020-0796-Testing
    [CVE-2020-0796: Scanners List - Microsoft Windows SMBv3 Remote Code Execution Vulnerability ...]
  135. GitHub: https://github.com/dickens88/cve-2020-0796-scanner
    [CVE-2020-0796: This project is used for scanning cve-2020-0796 SMB vulnerability]
  136. GitHub: https://github.com/eastmountyxz/CVE-2020-0796-SMB
    [CVE-2020-0796: 该资源为CVE-2020-0796漏洞复现,包括Python版本和C++版本。主要是集合了github大神们的资源,希望您喜欢~]
  137. GitHub: https://github.com/eerykitty/CVE-2020-0796-PoC
    [CVE-2020-0796: PoC for triggering buffer overflow via CVE-2020-0796]
  138. GitHub: https://github.com/exp-sky/CVE-2020-0796
    [CVE-2020-0796: SMBv3 Ghost (CVE-2020-0796) Vulnerability]
  139. GitHub: https://github.com/f1tz/CVE-2020-0796-LPE-EXP
    [CVE-2020-0796: Windows SMBv3 LPE exploit 已编译版]
  140. GitHub: https://github.com/gabimarti/SMBScanner
    [CVE-2020-0796: Multithread SMB scanner to check CVE-2020-0796 for SMB v3.11]
  141. GitHub: https://github.com/GryllsAaron/CVE-2020-0796-POC
    [CVE-2020-0796: CVE-2020-0796-POC]
  142. GitHub: https://github.com/GuoKerS/aioScan_CVE-2020-0796
    [CVE-2020-0796: 基于asyncio(协程)的CVE-2020-0796 速度还是十分可观的,方便运维师傅们对内网做下快速检测。]
  143. GitHub: https://github.com/IAreKyleW00t/SMBGhosts
    [CVE-2020-0796: Multithreaded Scanner for CVE-2020-0796 - SMBv3 RCE]
  144. GitHub: https://github.com/intelliroot-tech/cve-2020-0796-Scanner
    [CVE-2020-0796: This tool helps scan large subnets for cve-2020-0796 vulnerable systems]
  145. GitHub: https://github.com/ioncodes/SMBGhost
    [CVE-2020-0796: Scanner for CVE-2020-0796 - A SMBv3.1.1 + SMB compression RCE]
  146. GitHub: https://github.com/jiansiting/CVE-2020-0796-Scanner
    [CVE-2020-0796: CVE-2020-0796-Scanner]
  147. GitHub: https://github.com/joaozietolie/CVE-2020-0796-Checker
    [CVE-2020-0796: Script that checks if the system is vulnerable to CVE-2020-0796 (SMB v3.1.1)]
  148. GitHub: https://github.com/julixsalas/CVE-2020-0796
    [CVE-2020-0796: Scanner for CVE-2020-0796]
  149. GitHub: https://github.com/k8gege/PyLadon
    [CVE-2020-0796: Ladon Scanner For Python, Large Network Penetration Scanner & Cobalt Strike, ...]
  150. GitHub: https://github.com/LabDookhtegan/CVE-2020-0796-EXP
    [CVE-2020-0796: CVE-2020-0796-EXP]
  151. GitHub: https://github.com/laolisafe/CVE-2020-0796
    [CVE-2020-0796: SMBv3 RCE vulnerability in SMBv3]
  152. GitHub: https://github.com/ly4k/SMBGhost
    [CVE-2020-0796: Scanner for CVE-2020-0796 - SMBv3 RCE]
  153. GitHub: https://github.com/marcinguy/CVE-2020-0796
    [CVE-2020-0796: CVE-2020-0796 SMBGhost]
  154. GitHub: https://github.com/maxpl0it/Unauthenticated-CVE-2020-0796-PoC
    [CVE-2020-0796: An unauthenticated PoC for CVE-2020-0796]
  155. GitHub: https://github.com/netscylla/SMBGhost
    [CVE-2020-0796: SMBGhost (CVE-2020-0796) threaded scanner]
  156. GitHub: https://github.com/psc4re/NSE-scripts
    [CVE-2020-0796: NSE scripts to detect CVE-2020-1350 SIGRED and CVE-2020-0796 SMBGHOST, CVE-2021-21972 ...]
  157. GitHub: https://github.com/ran-sama/CVE-2020-0796
    [CVE-2020-0796: Lightweight PoC and Scanner for CVE-2020-0796 without authentication.]
  158. GitHub: https://github.com/RonnieNiu/CVE-2020_0796-exp
    [CVE-2020-0796: CVE-2020_0796-exp]
  159. GitHub: https://github.com/Rvn0xsy/CVE_2020_0796_CNA
    [CVE-2020-0796: Cobalt Strike AggressorScripts CVE-2020-0796]
  160. GitHub: https://github.com/sujitawake/smbghost
    [CVE-2020-0796: CVE-2020-0796_CoronaBlue_SMBGhost]
  161. GitHub: https://github.com/T13nn3s/CVE-2020-0796
    [CVE-2020-0796: Powershell SMBv3 Compression checker]
  162. GitHub: https://github.com/tango-j/CVE-2020-0796
    [CVE-2020-0796: Coronablue exploit]
  163. GitHub: https://github.com/technion/DisableSMBCompression
    [CVE-2020-0796: CVE-2020-0796 Flaw Mitigation - Active Directory Administrative Templates]
  164. GitHub: https://github.com/thelostworldFree/CVE-2020-0796
    [CVE-2020-0796: PoC RCE Reverse Shell for CVE-2020-0796 (SMBGhost)]
  165. GitHub: https://github.com/TinToSer/cve2020-0796
    [CVE-2020-0796: Microsoft SMV3.1.1 wormable Exploit]
  166. GitHub: https://github.com/TinToSer/CVE-2020-0796-LPE
    [CVE-2020-0796: SMBGHOST local privilege escalation]
  167. GitHub: https://github.com/UraSecTeam/smbee
    [CVE-2020-0796: Check system is vulnerable CVE-2020-0796 (SMB v3)]
  168. GitHub: https://github.com/vysecurity/CVE-2020-0796
    [CVE-2020-0796: CVE-2020-0796 - Working PoC - 20200313]
  169. GitHub: https://github.com/w1ld3r/SMBGhost_Scanner
    [CVE-2020-0796: Advanced scanner for CVE-2020-0796 - SMBv3 RCE]
  170. GitHub: https://github.com/wneessen/SMBCompScan
    [CVE-2020-0796: Scanner script to identify hosts vulnerable to CVE-2020-0796]
  171. GitHub: https://github.com/wsfengfan/CVE-2020-0796
    [CVE-2020-0796: CVE-2020-0796 Python POC buffer overflow]
  172. GitHub: https://github.com/xax007/CVE-2020-0796-Scanner
    [CVE-2020-0796: CVE-2020-0796 SMBv3.1.1 Compression Capability Vulnerability Scanner]
  173. GitHub: https://github.com/ysyyrps123/CVE-2020-0796-exp
    [CVE-2020-0796: CVE-2020-0796-exp]
  174. GitHub: https://github.com/ZecOps/CVE-2020-0796-LPE-POC
    [CVE-2020-0796: CVE-2020-0796 Local Privilege Escalation POC]
  175. GitHub: https://github.com/ZecOps/CVE-2020-0796-RCE-POC
    [CVE-2020-0796: CVE-2020-0796 Remote Code Execution POC]
  176. GitHub: https://github.com/ZecOps/SMBGhost-SMBleed-scanner
    [CVE-2020-0796: SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) Scanner]
  177. GitHub: https://github.com/ORCA666/CVE-2020-0796
    [CVE-2020-0796: Local exploit]
  178. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2020-0796
CVSS V2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C
CVSS Base Score:7.5 (High)
Impact Subscore:6.4
Exploitability Subscore:10.0
CVSS Temporal Score:6.5 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:6.5 (Medium)
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CVSS Base Score:10.0 (Critical)
Impact Subscore:6.0
Exploitability Subscore:3.9
CVSS Temporal Score:9.5 (Critical)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:9.5 (Critical)

Go back to menu.

Plugin Source

This is the smb_microsoft_windows_adv200005_remote.nasl nessus plugin source code. This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof. 

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(134421);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/02/11");

  script_cve_id("CVE-2020-0796");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/08/10");

  script_name(english:"Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is using a vulnerable version of SMB.");
  script_set_attribute(attribute:"description", value:
"A remote code execution vulnerability exists in Microsoft Server Message Block
3.1.1 (SMBv3) protocol due to how it handles a maliciously crafted compressed
data packet. An unauthenticated, remote attacker can exploit this to bypass
authentication and execute arbitrary commands.

Note, the plugin checks if SMB 3.1.1 with compression is enabled. It does not
currently verify the vulnerability itself.");
  # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?736703d3");
  script_set_attribute(attribute:"solution", value:
"Microsoft has provided additional details and guidance in the ADV200005 advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0796");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SMBv3 Compression Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/03/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/11");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_dialects_enabled.nasl");
  script_require_keys("SMB/smb_dialect/3.1.1", "Settings/ParanoidReport");
  script_require_ports(139, 445);

  exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('smb_func.inc');
include('misc_func.inc');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = kb_smb_transport();

if (get_kb_item('SMB/smb_dialect/3.1.1/compression'))
{
  report = 'Nessus was able to detect SMB 3.1.1 with compression enabled using a specially crafted packet.\n';
  security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/smb_microsoft_windows_adv200005_remote.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\smb_microsoft_windows_adv200005_remote.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/smb_microsoft_windows_adv200005_remote.nasl

Go back to menu.

How to Run

Here is how to run the Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote) plugin ID 134421.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl smb_microsoft_windows_adv200005_remote.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a smb_microsoft_windows_adv200005_remote.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - smb_microsoft_windows_adv200005_remote.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state smb_microsoft_windows_adv200005_remote.nasl -t <IP/HOST>

Go back to menu.

References

See also: Similar and related Nessus plugins:
  • 135177 - Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)
  • 134420 - Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Deprecated)
  • 134428 - KB4551762: Windows 10 Version 1903 and Windows 10 Version 1909 OOB Security Update (ADV200005)(CVE-2020-0796)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file smb_microsoft_windows_adv200005_remote.nasl version 1.8. For more plugins, visit the Nessus Plugin Library.

Go back to menu.