SMBv3 “Wormable” RCE

Without a doubt, the hottest Microsoft vulnerability in March 2020 is the “Wormable” Remote Code Execution in SMB v3 CVE-2020-0796. The most commonly used names for this vulnerability are EternalDarkness, SMBGhost and CoronaBlue.

There was a strange story of how it was disclosed. It seems like Microsoft accidentally mentioned it in their blog. Than they somehow found out that the patch for this vulnerability will not be released in the March Patch Tuesday. So, they removed the reference to this vulnerability from the blogpost as quickly as they could.

But some security experts have seen it. And, of course, after EternalBlue and massive cryptolocker attacks in 2017, each RCE in SMB means “OMG, this is happening again, we need to do something really fast!” So, Microsoft just had to publish an advisory for this vulnerability with the workaround ADV200005 and to release an urgent patch KB4551762.

So what is it about?

• If we have a vulnerable server, the attacker can send a specially crafted packet to the server and execute arbitrary code. This is the most interesting scenario.
• If we have a vulnerable client, the attacker can configure a malicious SMBv3 Server and convince the user to connect to this server. So, the attacker will be able to execute arbitrary code on this client host.

What’s the difference between EternalBlue MS17-010 and this case?

This vulnerability can be exploited because of SMBv3 compression that only works in the latest versions of Windows 10 and Windows Server (1903 and 1909). This means the smaller number of potential targets.

In the case of EternalBlue and MS17-010, there was a real cyber weapon that was made and tested by NSA. For this new vulnerability we currently have only a DoS exploit and there is a video of such exploitation in Kryptos Logic twitter. Will a fully functional RCE exploit appear in the near future? Who knows… But it definitely won’t hurt to fix this vulnerability as soon as possible.

How to fix this?

To install the patch or switch off SMBv3 compression as it is written in advisory (but this is not recommended way anymore)

How to detect this?

There is an open source scanner that detects SMB dialect 3.1.1 and compression capability. Commercial solutions already have plugins for detection, for example, Nessus plugins for remote and patch-based detection.

Patch Tuesday for March 2020

Ok, now about the vulnerabilities in Patch Tuesday for March 2020. First of all, there are a lot of them! 115 CVEs! This is a new record and it’s impossible to discuss each of them individually. So, I will only mention the main groups. First of all, the different RCEs.

Remote Code Executions

In each patch Tuesday there are RCEs in Internet Explorer and Microsoft Edge. And usually the problem is in Chakra JavaScript engine. This time there are 13 RCE CVEs in ChakraCore. They can be potentially exploited if you visit a malicious site. CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833, CVE-2020-0847, CVE-2020-0848

Another group of RCEs that is related to some media files. These are vulnerabilities in:

• Windows Graphics Device Interface (GDI) (CVE-2020-0881, CVE-2020-0883)
• Windows Media Foundation (CVE-2020-0801, CVE-2020-0807, CVE-2020-0809, CVE-2020-0869)

They can be also used in a web-based attack, where an attacker convinces a user to visit some malicious website.

There are also RCEs in Microsoft Word (CVE-2020-0850, CVE-2020-0851, CVE-2020-0852, CVE-2020-0855, CVE-2020-0892). One of them (CVE-2020-0852) can be exploited simply by previewing a malicious file in Mcrosoft Outlook.

But the most interesting issue is related to .LNK files processing (CVE-2020-0684). When a user opens malicious share or removable drive, Windows Explorer parses the .LNK file and malicious binary executes with the rights of local user.

Elevation of Privilege

And finally, there are many privilege escalation vulnerabilities that use different mechanisms, but all of them could be used to start processes with higher permissions after the initial user login. These vulnerabilities are in:

• Windows Working Folder Service (CVE-2020-0777, CVE-2020-0797, CVE-2020-0800, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866 and CVE-2020-0897)
• Win32k (CVE-2020-0788, CVE-2020-0877, CVE-2020-0887)

February goldies

In a February Patch Tuesday, I mentioned two the most interesting vulnerabilities. Let’s see if something has changed with them in a month.

Microsoft Exchange server seizure CVE-2020-0688. By sending a malicious email message the attacker can run commands on a vulnerable Exchange server as the system user (and monitor email communications). “the attacker could completely take control of an Exchange server through a single e-mail”. This vulnerability now has several exploits, including one in Metasploit “Exchange Control Panel ViewState Deserialization”. And there is news that this Microsoft Exchange Server Flaw Exploited in APT Attacks. You can see you all these updates at Vulners.com.

The second one was Mysterious Windows RCE CVE-2020-0662. “To exploit the vulnerability, an attacker who has a domain user account could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions.” Without needing to directly log in to the affected device! For this vulnerability, nothing has changed in a month.