Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote) - Nessus

Critical   Plugin ID: 135177

This page contains detailed information about the Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 135177
Name: Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)
Filename: microsoft_smb_cve-2020-0796.nasl
Vulnerability Published: 2020-03-12
This Plugin Published: 2020-04-02
Last Modification Time: 2022-02-11
Plugin Version: 1.5
Plugin Type: remote
Plugin Family: Windows
Dependencies: os_fingerprint.nasl, samba_detect.nasl, smb_dialects_enabled.nasl
Required KB Items [?]: SMB/smb_dialect/3.1.1/compression
Excluded KB Items: SMB/samba

Vulnerability Information

Severity: Critical
Vulnerability Published: 2020-03-12
Patch Published: 2020-03-12
CVE [?]: CVE-2020-0796
CPE [?]: cpe:/o:microsoft:windows
Exploited by Malware: True

Synopsis

The remote Windows host is using a vulnerable version of SMB.

Description

A remote code execution vulnerability exists in Microsoft Server Message Block 3.1.1 (SMBv3) protocol due to how it handles a maliciously crafted compressed data packet. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.

Note that this plugin works only if it can to connect to the IPC$ share anonymously using SMB dialect 3.1.1.

Solution

Apply Cumulative Update KB4551762.

Public Exploits

Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote) vulnerability:

  1. Metasploit: exploit/windows/local/cve_2020_0796_smbghost
    [SMBv3 Compression Buffer Overflow]
  2. Metasploit: exploit/windows/smb/cve_2020_0796_smbghost
    [SMBv3 Compression Buffer Overflow]
  3. Exploit-DB: exploits/windows/dos/48216.md
    [EDB-48216: Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)]
  4. Exploit-DB: exploits/windows/local/48267.txt
    [EDB-48267: Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation]
  5. Exploit-DB: exploits/windows/remote/48537.py
    [EDB-48537: Microsoft Windows - 'SMBGhost' Remote Code Execution]
  6. GitHub: https://github.com/0xpetros/windows-privilage-escalation
    [CVE-2020-0796]
  7. GitHub: https://github.com/1stPeak/CVE-2020-0796-Scanner
    [CVE-2020-0796]
  8. GitHub: https://github.com/3gstudent/Homework-of-Python
    [CVE-2020-0796]
  9. GitHub: https://github.com/5l1v3r1/CVE-2020-0796-PoC-3
    [CVE-2020-0796: CVE-2020-0796 - a wormable SMBv3 vulnerability.]
  10. GitHub: https://github.com/5l1v3r1/cve-2020-0802
    [CVE-2020-0796]
  11. GitHub: https://github.com/2522595153/text
    [CVE-2020-0796]
  12. GitHub: https://github.com/ASkyeye/RAGINGBULL
    [CVE-2020-0796]
  13. GitHub: https://github.com/AaronWilsonGrylls/CVE-2020-0796-POC
    [CVE-2020-0796: CVE-2020-0796-POC]
  14. GitHub: https://github.com/Al1ex/WindowsElevation
    [CVE-2020-0796]
  15. GitHub: https://github.com/Anonimo501/SMBGhost_CVE-2020-0796_checker
    [CVE-2020-0796]
  16. GitHub: https://github.com/Ascotbe/Kernelhub
    [CVE-2020-0796]
  17. GitHub: https://github.com/Astrogeorgeonethree/Starred
    [CVE-2020-0796]
  18. GitHub: https://github.com/BOFs/365CS
    [CVE-2020-0796]
  19. GitHub: https://github.com/BOFs/CobaltStrike
    [CVE-2020-0796]
  20. GitHub: https://github.com/CYJoe-Cyclone/Awesome-CobaltStrike
    [CVE-2020-0796]
  21. GitHub: https://github.com/CyberMonitor/somethingweneed
    [CVE-2020-0796]
  22. GitHub: https://github.com/DreamoneOnly/CVE-2020-0796-LPE
    [CVE-2020-0796]
  23. GitHub: https://github.com/EncodeGroup/BOF-RegSave
    [CVE-2020-0796]
  24. GitHub: https://github.com/F6JO/CVE-2020-0796-Batch-scanning
    [CVE-2020-0796: 批量扫描CVE-2020-0796]
  25. GitHub: https://github.com/FULLSHADE/WindowsExploitationResources
    [CVE-2020-0796]
  26. GitHub: https://github.com/GuoKerS/Some_Script
    [CVE-2020-0796]
  27. GitHub: https://github.com/HackOvert/awesome-bugs
    [CVE-2020-0796]
  28. GitHub: https://github.com/Haruster/Apasys-CVE-2020-0796
    [CVE-2020-0796: MS CVE 2020-0796 SMB]
  29. GitHub: https://github.com/IFccTeR/1_UP_files
    [CVE-2020-0796]
  30. GitHub: https://github.com/Jkrasher/WindowsThreatResearch_JKrasher
    [CVE-2020-0796]
  31. GitHub: https://github.com/Ken-Abruzzi/cve_2020_0796
    [CVE-2020-0796]
  32. GitHub: https://github.com/Kinesys/Kinesys-CVE-2020-0796
    [CVE-2020-0796: MS CVE 2020-0796 SMB]
  33. GitHub: https://github.com/Loveforkeeps/Lemon-Duck
    [CVE-2020-0796]
  34. GitHub: https://github.com/MasterSploit/LPE---CVE-2020-0796
    [CVE-2020-0796]
  35. GitHub: https://github.com/Mr-xn/Penetration_Testing_POC
    [CVE-2020-0796]
  36. GitHub: https://github.com/Murasame-nc/CVE-2020-0796-LPE-POC
    [CVE-2020-0796]
  37. GitHub: https://github.com/NullArray/WinKernel-Resources
    [CVE-2020-0796]
  38. GitHub: https://github.com/Opensitoo/cve-2020-0796
    [CVE-2020-0796]
  39. GitHub: https://github.com/QWERTSKIHACK/Active-Directory-Exploitation-Cheat-Sheet.
    [CVE-2020-0796]
  40. GitHub: https://github.com/Ra7mo0on/SMBGhost
    [CVE-2020-0796]
  41. GitHub: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
    [CVE-2020-0796]
  42. GitHub: https://github.com/S3cur3Th1sSh1t/WinPwn
    [CVE-2020-0796]
  43. GitHub: https://github.com/SecWiki/windows-kernel-exploits
    [CVE-2020-0796]
  44. GitHub: https://github.com/SexyBeast233/SecBooks
    [CVE-2020-0796]
  45. GitHub: https://github.com/TamilHackz/windows-exploitation
    [CVE-2020-0796]
  46. GitHub: https://github.com/WinMin/Protocol-Vul
    [CVE-2020-0796]
  47. GitHub: https://github.com/atdpa4sw0rd/Experience-library
    [CVE-2020-0796]
  48. GitHub: https://github.com/awsassets/CVE-2020-0798
    [CVE-2020-0796]
  49. GitHub: https://github.com/bmphx2/PoC-codes
    [CVE-2020-0796]
  50. GitHub: https://github.com/byteofjoshua/CVE-2020-0796
    [CVE-2020-0796: Remote Code Execution POC for CVE-2020-0796]
  51. GitHub: https://github.com/cepxeo/redteambins
    [CVE-2020-0796]
  52. GitHub: https://github.com/chompie1337/SMBGhost_RCE_PoC
    [CVE-2020-0796]
  53. GitHub: https://github.com/claroty/CVE2020-0796
    [CVE-2020-0796: CVE2020-0796 SMBv3 RCE]
  54. GitHub: https://github.com/datntsec/CVE-2020-0796
    [CVE-2020-0796]
  55. GitHub: https://github.com/ddiako/Vulncheck
    [CVE-2020-0796]
  56. GitHub: https://github.com/demilson/Windows
    [CVE-2020-0796]
  57. GitHub: https://github.com/eastmountyxz/CSDNBlog-Security-Based
    [CVE-2020-0796]
  58. GitHub: https://github.com/eastmountyxz/NetworkSecuritySelf-study
    [CVE-2020-0796]
  59. GitHub: https://github.com/eastmountyxz/SystemSecurity-ReverseAnalysis
    [CVE-2020-0796]
  60. GitHub: https://github.com/ericzhong2010/GUI-Check-CVE-2020-0976
    [CVE-2020-0796]
  61. GitHub: https://github.com/eventsentry/scripts
    [CVE-2020-0796]
  62. GitHub: https://github.com/halsten/CVE-2020-0796
    [CVE-2020-0796]
  63. GitHub: https://github.com/hectorgie/SMBGHOST
    [CVE-2020-0796]
  64. GitHub: https://github.com/hillu/nmap-nse-smb2-enhancement
    [CVE-2020-0796]
  65. GitHub: https://github.com/hlldz/dazzleUP
    [CVE-2020-0796]
  66. GitHub: https://github.com/i0gan/cve
    [CVE-2020-0796]
  67. GitHub: https://github.com/jeansgit/Pentest
    [CVE-2020-0796]
  68. GitHub: https://github.com/jiansiting/CVE-2020-0796
    [CVE-2020-0796]
  69. GitHub: https://github.com/jstigerwalt/SMBGhost
    [CVE-2020-0796]
  70. GitHub: https://github.com/jweny/pocassistdb
    [CVE-2020-0796]
  71. GitHub: https://github.com/k4t3pro/SMBGhost
    [CVE-2020-0796]
  72. GitHub: https://github.com/kernelkill/cve2020-0796
    [CVE-2020-0796]
  73. GitHub: https://github.com/kn6869610/CVE-2020-0796
    [CVE-2020-0796]
  74. GitHub: https://github.com/lawrenceamer/0xsp-Mongoose
    [CVE-2020-0796]
  75. GitHub: https://github.com/lisinan988/CVE-2020-0796-exp
    [CVE-2020-0796]
  76. GitHub: https://github.com/mai-lang-chai/System-Vulnerability
    [CVE-2020-0796]
  77. GitHub: https://github.com/manasmbellani/gocmdscanner
    [CVE-2020-0796]
  78. GitHub: https://github.com/mathisvickie/KMAC
    [CVE-2020-0796]
  79. GitHub: https://github.com/michael101096/cs2020_msels
    [CVE-2020-0796]
  80. GitHub: https://github.com/mishmashclone/SecWiki-windows-kernel-exploits
    [CVE-2020-0796]
  81. GitHub: https://github.com/msuiche/smbaloo
    [CVE-2020-0796]
  82. GitHub: https://github.com/niudaii/go-crack
    [CVE-2020-0796]
  83. GitHub: https://github.com/ollypwn/SMBGhost
    [CVE-2020-0796: Scanner for CVE-2020-0796 - SMBv3 RCE]
  84. GitHub: https://github.com/orangmuda/CVE-2020-0796
    [CVE-2020-0796: Remote Code Execution POC for CVE-2020-0796]
  85. GitHub: https://github.com/oxctdev/CVE-2020-0796
    [CVE-2020-0796: Remote Code Execution POC for CVE-2020-0796]
  86. GitHub: https://github.com/pathakabhi24/Awesome-C
    [CVE-2020-0796]
  87. GitHub: https://github.com/pengusec/awesome-netsec-articles
    [CVE-2020-0796]
  88. GitHub: https://github.com/plorinquer/cve-2020-0796
    [CVE-2020-0796]
  89. GitHub: https://github.com/pwninx/WinPwn
    [CVE-2020-0796]
  90. GitHub: https://github.com/rhpenguin/tshark-filter
    [CVE-2020-0796]
  91. GitHub: https://github.com/root26/bug
    [CVE-2020-0796]
  92. GitHub: https://github.com/rsmudge/CVE-2020-0796-BOF
    [CVE-2020-0796]
  93. GitHub: https://github.com/safesword/WindowsExp
    [CVE-2020-0796]
  94. GitHub: https://github.com/section-c/CVE-2020-0796
    [CVE-2020-0796]
  95. GitHub: https://github.com/shuanx/vulnerability
    [CVE-2020-0796]
  96. GitHub: https://github.com/sung3r/CobaltStrike
    [CVE-2020-0796]
  97. GitHub: https://github.com/syadg123/CVE-2020-0796
    [CVE-2020-0796]
  98. GitHub: https://github.com/syadg123/SMBGhost
    [CVE-2020-0796]
  99. GitHub: https://github.com/t0rt3ll1n0/cms-scanner
    [CVE-2020-0796]
  100. GitHub: https://github.com/testbugonly/Defence
    [CVE-2020-0796]
  101. GitHub: https://github.com/tobor88/PowerShell-Blue-Team
    [CVE-2020-0796]
  102. GitHub: https://github.com/tripledd/cve-2020-0796-vuln
    [CVE-2020-0796]
  103. GitHub: https://github.com/uhub/awesome-c
    [CVE-2020-0796]
  104. GitHub: https://github.com/vsai94/ECE9069_SMBGhost_Exploit_CVE-2020-0796-
    [CVE-2020-0796: Description of Exploit SMBGhost CVE-2020-0796]
  105. GitHub: https://github.com/wenwen104/ipas2020
    [CVE-2020-0796]
  106. GitHub: https://github.com/wrlu/Vulnerabilities
    [CVE-2020-0796]
  107. GitHub: https://github.com/ycdxsb/Exploits
    [CVE-2020-0796]
  108. GitHub: https://github.com/ycdxsb/WindowsPrivilegeEscalation
    [CVE-2020-0796]
  109. GitHub: https://github.com/yisan1/hh
    [CVE-2020-0796]
  110. GitHub: https://github.com/ysyyrps123/CVE-2020-0796
    [CVE-2020-0796]
  111. GitHub: https://github.com/z1un/Z1-AggressorScripts
    [CVE-2020-0796]
  112. GitHub: https://github.com/zathizh/cve-796-mit
    [CVE-2020-0796]
  113. GitHub: https://github.com/zer0yu/Awesome-CobaltStrike
    [CVE-2020-0796]
  114. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/48216.zip
    [EDB-48216]
  115. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/48267.zip
    [EDB-48267]
  116. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/48537.zip
    [EDB-48537]
  117. GitHub: https://github.com/0xeb-bp/cve-2020-0796
    [CVE-2020-0796: CVE-2020-0796 (SMBGhost) LPE]
  118. GitHub: https://github.com/1060275195/SMBGhost
    [CVE-2020-0796: 批量测试CVE-2020-0796 - SMBv3 RCE]
  119. GitHub: https://github.com/5l1v3r1/CVE-2020-0796-PoC-and-Scan
    [CVE-2020-0796: Lightweight PoC and Scanner for CVE-2020-0796 without authentication.]
  120. GitHub: https://github.com/5l1v3r1/smbghost-5
    [CVE-2020-0796: CVE-2020-0796. Smbghost Local Privilege Escalation]
  121. GitHub: https://github.com/5l1v3r1/SMBGhost_Crash_Poc
    [CVE-2020-0796: CVE-2020-0796.SMBGhost_Crash_Poc]
  122. GitHub: https://github.com/Aekras1a/CVE-2020-0796-PoC
    [CVE-2020-0796: Weaponized PoC for SMBv3 TCP codec/compression vulnerability]
  123. GitHub: https://github.com/Almorabea/SMBGhost-LPE-Metasploit-Module
    [CVE-2020-0796: This is an implementation of the CVE-2020-0796 aka SMBGhost vulnerability, ...]
  124. GitHub: https://github.com/Almorabea/SMBGhost-WorkaroundApplier
    [CVE-2020-0796: This script will apply the workaround for the vulnerability CVE-2020-0796 for the ...]
  125. GitHub: https://github.com/awareseven/eternalghosttest
    [CVE-2020-0796: This repository contains a test case for CVE-2020-0796]
  126. GitHub: https://github.com/bacth0san96/SMBGhostScanner
    [CVE-2020-0796: SMBGhost CVE-2020-0796]
  127. GitHub: https://github.com/Barriuso/SMBGhost_AutomateExploitation
    [CVE-2020-0796: SMBGhost (CVE-2020-0796) Automate Exploitation and Detection]
  128. GitHub: https://github.com/BinaryShadow94/SMBv3.1.1-scan---CVE-2020-0796
    [CVE-2020-0796: Little scanner to know if a machine is runnig SMBv3 (possible vulnerability ...]
  129. GitHub: https://github.com/bonesg/CVE-2020-0797
    [CVE-2020-0796: Exploiter la vulnérabilité CVE-2020-0796, Remote Code Execution du protocole SMB ...]
  130. GitHub: https://github.com/ButrintKomoni/cve-2020-0796
    [CVE-2020-0796: Identifying and Mitigating the CVE-2020–0796 flaw in the fly]
  131. GitHub: https://github.com/codewithpradhan/SMBGhost-CVE-2020-0796-
    [CVE-2020-0796: To crash Windows-10 easily]
  132. GitHub: https://github.com/cory-zajicek/CVE-2020-0796-DoS
    [CVE-2020-0796: DoS PoC for CVE-2020-0796 (SMBGhost)]
  133. GitHub: https://github.com/danigargu/CVE-2020-0796
    [CVE-2020-0796: CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhost]
  134. GitHub: https://github.com/Dhoomralochana/Scanners-for-CVE-2020-0796-Testing
    [CVE-2020-0796: Scanners List - Microsoft Windows SMBv3 Remote Code Execution Vulnerability ...]
  135. GitHub: https://github.com/dickens88/cve-2020-0796-scanner
    [CVE-2020-0796: This project is used for scanning cve-2020-0796 SMB vulnerability]
  136. GitHub: https://github.com/eastmountyxz/CVE-2020-0796-SMB
    [CVE-2020-0796: 该资源为CVE-2020-0796漏洞复现,包括Python版本和C++版本。主要是集合了github大神们的资源,希望您喜欢~]
  137. GitHub: https://github.com/eerykitty/CVE-2020-0796-PoC
    [CVE-2020-0796: PoC for triggering buffer overflow via CVE-2020-0796]
  138. GitHub: https://github.com/exp-sky/CVE-2020-0796
    [CVE-2020-0796: SMBv3 Ghost (CVE-2020-0796) Vulnerability]
  139. GitHub: https://github.com/f1tz/CVE-2020-0796-LPE-EXP
    [CVE-2020-0796: Windows SMBv3 LPE exploit 已编译版]
  140. GitHub: https://github.com/gabimarti/SMBScanner
    [CVE-2020-0796: Multithread SMB scanner to check CVE-2020-0796 for SMB v3.11]
  141. GitHub: https://github.com/GryllsAaron/CVE-2020-0796-POC
    [CVE-2020-0796: CVE-2020-0796-POC]
  142. GitHub: https://github.com/GuoKerS/aioScan_CVE-2020-0796
    [CVE-2020-0796: 基于asyncio(协程)的CVE-2020-0796 速度还是十分可观的,方便运维师傅们对内网做下快速检测。]
  143. GitHub: https://github.com/IAreKyleW00t/SMBGhosts
    [CVE-2020-0796: Multithreaded Scanner for CVE-2020-0796 - SMBv3 RCE]
  144. GitHub: https://github.com/intelliroot-tech/cve-2020-0796-Scanner
    [CVE-2020-0796: This tool helps scan large subnets for cve-2020-0796 vulnerable systems]
  145. GitHub: https://github.com/ioncodes/SMBGhost
    [CVE-2020-0796: Scanner for CVE-2020-0796 - A SMBv3.1.1 + SMB compression RCE]
  146. GitHub: https://github.com/jiansiting/CVE-2020-0796-Scanner
    [CVE-2020-0796: CVE-2020-0796-Scanner]
  147. GitHub: https://github.com/joaozietolie/CVE-2020-0796-Checker
    [CVE-2020-0796: Script that checks if the system is vulnerable to CVE-2020-0796 (SMB v3.1.1)]
  148. GitHub: https://github.com/julixsalas/CVE-2020-0796
    [CVE-2020-0796: Scanner for CVE-2020-0796]
  149. GitHub: https://github.com/k8gege/PyLadon
    [CVE-2020-0796: Ladon Scanner For Python, Large Network Penetration Scanner & Cobalt Strike, ...]
  150. GitHub: https://github.com/LabDookhtegan/CVE-2020-0796-EXP
    [CVE-2020-0796: CVE-2020-0796-EXP]
  151. GitHub: https://github.com/laolisafe/CVE-2020-0796
    [CVE-2020-0796: SMBv3 RCE vulnerability in SMBv3]
  152. GitHub: https://github.com/ly4k/SMBGhost
    [CVE-2020-0796: Scanner for CVE-2020-0796 - SMBv3 RCE]
  153. GitHub: https://github.com/marcinguy/CVE-2020-0796
    [CVE-2020-0796: CVE-2020-0796 SMBGhost]
  154. GitHub: https://github.com/maxpl0it/Unauthenticated-CVE-2020-0796-PoC
    [CVE-2020-0796: An unauthenticated PoC for CVE-2020-0796]
  155. GitHub: https://github.com/netscylla/SMBGhost
    [CVE-2020-0796: SMBGhost (CVE-2020-0796) threaded scanner]
  156. GitHub: https://github.com/psc4re/NSE-scripts
    [CVE-2020-0796: NSE scripts to detect CVE-2020-1350 SIGRED and CVE-2020-0796 SMBGHOST, CVE-2021-21972 ...]
  157. GitHub: https://github.com/ran-sama/CVE-2020-0796
    [CVE-2020-0796: Lightweight PoC and Scanner for CVE-2020-0796 without authentication.]
  158. GitHub: https://github.com/RonnieNiu/CVE-2020_0796-exp
    [CVE-2020-0796: CVE-2020_0796-exp]
  159. GitHub: https://github.com/Rvn0xsy/CVE_2020_0796_CNA
    [CVE-2020-0796: Cobalt Strike AggressorScripts CVE-2020-0796]
  160. GitHub: https://github.com/sujitawake/smbghost
    [CVE-2020-0796: CVE-2020-0796_CoronaBlue_SMBGhost]
  161. GitHub: https://github.com/T13nn3s/CVE-2020-0796
    [CVE-2020-0796: Powershell SMBv3 Compression checker]
  162. GitHub: https://github.com/tango-j/CVE-2020-0796
    [CVE-2020-0796: Coronablue exploit]
  163. GitHub: https://github.com/technion/DisableSMBCompression
    [CVE-2020-0796: CVE-2020-0796 Flaw Mitigation - Active Directory Administrative Templates]
  164. GitHub: https://github.com/thelostworldFree/CVE-2020-0796
    [CVE-2020-0796: PoC RCE Reverse Shell for CVE-2020-0796 (SMBGhost)]
  165. GitHub: https://github.com/TinToSer/cve2020-0796
    [CVE-2020-0796: Microsoft SMV3.1.1 wormable Exploit]
  166. GitHub: https://github.com/TinToSer/CVE-2020-0796-LPE
    [CVE-2020-0796: SMBGHOST local privilege escalation]
  167. GitHub: https://github.com/UraSecTeam/smbee
    [CVE-2020-0796: Check system is vulnerable CVE-2020-0796 (SMB v3)]
  168. GitHub: https://github.com/vysecurity/CVE-2020-0796
    [CVE-2020-0796: CVE-2020-0796 - Working PoC - 20200313]
  169. GitHub: https://github.com/w1ld3r/SMBGhost_Scanner
    [CVE-2020-0796: Advanced scanner for CVE-2020-0796 - SMBv3 RCE]
  170. GitHub: https://github.com/wneessen/SMBCompScan
    [CVE-2020-0796: Scanner script to identify hosts vulnerable to CVE-2020-0796]
  171. GitHub: https://github.com/wsfengfan/CVE-2020-0796
    [CVE-2020-0796: CVE-2020-0796 Python POC buffer overflow]
  172. GitHub: https://github.com/xax007/CVE-2020-0796-Scanner
    [CVE-2020-0796: CVE-2020-0796 SMBv3.1.1 Compression Capability Vulnerability Scanner]
  173. GitHub: https://github.com/ysyyrps123/CVE-2020-0796-exp
    [CVE-2020-0796: CVE-2020-0796-exp]
  174. GitHub: https://github.com/ZecOps/CVE-2020-0796-LPE-POC
    [CVE-2020-0796: CVE-2020-0796 Local Privilege Escalation POC]
  175. GitHub: https://github.com/ZecOps/CVE-2020-0796-RCE-POC
    [CVE-2020-0796: CVE-2020-0796 Remote Code Execution POC]
  176. GitHub: https://github.com/ZecOps/SMBGhost-SMBleed-scanner
    [CVE-2020-0796: SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) Scanner]
  177. GitHub: https://github.com/ORCA666/CVE-2020-0796
    [CVE-2020-0796: Local exploit]
  178. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2020-0796
CVSS V2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C
CVSS Base Score:7.5 (High)
Impact Subscore:6.4
Exploitability Subscore:10.0
CVSS Temporal Score:6.5 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:6.5 (Medium)
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CVSS Base Score:10.0 (Critical)
Impact Subscore:6.0
Exploitability Subscore:3.9
CVSS Temporal Score:9.5 (Critical)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:9.5 (Critical)

Go back to menu.

Plugin Source

This is the microsoft_smb_cve-2020-0796.nasl nessus plugin source code. This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof. 

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(135177);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/02/11");

  script_cve_id("CVE-2020-0796");
  script_xref(name:"MSKB", value:"4551762");
  script_xref(name:"MSFT", value:"MS20-4551762");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/08/10");

  script_name(english:"Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is using a vulnerable version of SMB.");
  script_set_attribute(attribute:"description", value:
"A remote code execution vulnerability exists in Microsoft Server Message Block
3.1.1 (SMBv3) protocol due to how it handles a maliciously crafted compressed
data packet. An unauthenticated, remote attacker can exploit this to bypass
authentication and execute arbitrary commands.

Note that this plugin works only if it can to connect to the IPC$
share anonymously using SMB dialect 3.1.1.");
  # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?32926bb8");
  script_set_attribute(attribute:"solution", value:
"Apply Cumulative Update KB4551762.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0796");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SMBv3 Compression Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/03/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/02");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_dialects_enabled.nasl", "os_fingerprint.nasl", "samba_detect.nasl");
  script_require_keys("SMB/smb_dialect/3.1.1/compression");
  script_exclude_keys("SMB/samba");
  script_require_ports(139, 445);

  exit(0);
}

include('smb_func.inc');
include('agent.inc');

##
# Receive an SMB message starting with the header.
#
# @return SMB response message or NULL on error.
##
function my_smb2_recv()
{
  local_var socket, timeout, length, trailer, ret, header;

  socket = session_get_socket ();
  timeout = session_get_timeout ();

  length = recv(socket:socket, length:4, min:4, timeout:timeout);
  if (strlen(length) != 4)
    return NULL;

  length = 65535 * ord(length[1]) +
           256 * ord(length[2]) +
           ord(length[3]);

  if (length > 100000)
    length = 100000;

  trailer = recv(socket:socket, length:length, min:length, timeout:timeout);
  if (strlen(trailer) < length )
    return NULL;

  return trailer;
}


#
# MAIN
#

# Exit if run on agent.
if(agent()) exit(0,'This plugin is disabled on Nessus Agents.');

# Exit if samba is detected.
if (get_kb_item('SMB/samba') ) exit(0, 'SMB server is Samba.');

# If OS is detected, exit if the OS is not Windows.
os = get_kb_item('Host/OS');
if (os && os !~ '[Ww]indows')
  audit(AUDIT_OS_NOT, 'Windows');

# Exit if SMB v3.1.1 is not supported
if(! get_kb_item('SMB/smb_dialect/3.1.1'))
  exit(0, 'SMB dialect 3.1.1 is not supported on the remote host.');

# Exit if compression is not supported or enabled.
if(! get_kb_item('SMB/smb_dialect/3.1.1/compression'))
  exit(0, 'SMB compression is not supported or enabled on the remote host.'); 

# Exit if LZNT1 compression is not supported or enabled.
if(! get_kb_item('SMB/smb_dialect/3.1.1/compression/LZNT1'))
  exit(0, 'SMB compression algorithm LZNT1 is not supported or enabled on the remote host.');

port = kb_smb_transport();

# SMB transport port isn't open
if (!get_port_state(port))
  audit(AUDIT_PORT_CLOSED, port);

if (!smb_session_init(timeout:10)) audit(AUDIT_FN_FAIL, 'smb_session_init');
soc = session_get_socket();

ret = NetUseAdd(share:'IPC$');
if(ret != 1)
  exit(0, 'Failed to connect to IPC$ anonymously using SMB v3.1.1.');

LZNT1 = 1;
# 0x800135 'A's compressed with LZNT1
orig_size = 0x800135;

compressed = NULL;
# 0x800000 'A's
for (i = 0; i < 0x800; i++)
  compressed += '\x03\xb0\x02\x41\xfc\x0f'; # 0x1000 'A's

# 0x135 'A's
compressed += '\x03\xb0\x02\x41\x31\x01';

# Use TREE_CONNECT as the first message in a compound request to
# avoid crash in srv2.sys versions prior to 10.0.18362.329.
path = 'IPC$';
cpath = cstring (string:"\\", _null:1) + cstring (string:session_get_hostname(), _null:1) + cstring (string:"\", _null:1) + cstring (string:path, _null:1);

data = raw_word(w:9)             + # StructureSize
       raw_word(w:0)             + # Reserved
       raw_word(w:0x48)          + # PathOffset
       raw_word(w:strlen(cpath)) + # PathLength
       cpath;                      # Buffer

# Messages in a compound request are 8-byte aligned. 
if(strlen(data) % 8)
  data += crap(data:'\x00', length: 8 - strlen(data)%8);

msg1  = smb2_header(command:3, status:STATUS_SUCCESS);
msg1 += null_signature;
msg1[20] = raw_string(0x40 + strlen(data));
msg1 += data;

# The second message in the compound request is compressed such that
#
#   (COMPRESSION_TRANSFORM_HEADER.offset +
#   COMPRESSION_TRANSFORM_HEADER.OriginalCompressedSegmentSize) > 0x800134
#
# Use QUERY_DIRECTORY so that the message is not subject to the 0x11000-byte
# max msg_size limit.
command = 0xE;
header = smb2_header(command:command, status:STATUS_SUCCESS);
header += null_signature;

uncompressed = msg1 + header;
cth = raw_dword(d:0x424D53FC)
  + raw_dword(d:orig_size)        # OriginalCompressedSegmentSize
  + raw_word(w:LZNT1)             # CompressionAlgorithm
  + raw_word(w:0)                 # flags
  + raw_dword(d:strlen(uncompressed)); # offset

packet = cth + uncompressed + compressed;

length = strlen(packet);
netbios = netbios_header (type:0, length:length) + packet;
send (socket:soc, data:netbios);
res = my_smb2_recv();
NetUseDel();

# The vulnerable server does not check
# offset + OriginalCompressedSegmentSize <= 0x800134, the compound request
# is processed and a compressed response is returned.
if((strlen(res) > 16 && get_dword(blob:res, pos:0) == 0x424D53FC)
  # Should not happen; but in case TREE_CONNECT in the compound request
  # fails, crash on vulnerable srv2.sys version < 10.0.18362.329
  || !smb_session_init(timeout:10))
{
  extra = 'Nessus was able to detect the vulnerability by sending a specially crafted message to the remote SMB server.';
  security_report_v4(
    port      : port,
    severity  : SECURITY_HOLE,
    extra     : extra
  );
}
# The patched server checks
# offset + OriginalCompressedSegmentSize <= 0x800134, and the check fails.
# The server closes the connection without returning a response.
else
  audit(AUDIT_HOST_NOT, 'affected');

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/microsoft_smb_cve-2020-0796.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\microsoft_smb_cve-2020-0796.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/microsoft_smb_cve-2020-0796.nasl

Go back to menu.

How to Run

Here is how to run the Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote) plugin ID 135177.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl microsoft_smb_cve-2020-0796.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a microsoft_smb_cve-2020-0796.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - microsoft_smb_cve-2020-0796.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state microsoft_smb_cve-2020-0796.nasl -t <IP/HOST>

Go back to menu.

References

MSKB | Microsoft Knowledge Base: MSFT | Microsoft Security Bulletin:
  • MS20-4551762
See also: Similar and related Nessus plugins:
  • 134420 - Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Deprecated)
  • 134421 - Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)
  • 134428 - KB4551762: Windows 10 Version 1903 and Windows 10 Version 1909 OOB Security Update (ADV200005)(CVE-2020-0796)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file microsoft_smb_cve-2020-0796.nasl version 1.5. For more plugins, visit the Nessus Plugin Library.

Go back to menu.