Show vulnerabilities with patch / with exploit
2 April 2020

Windows SMBGhost flaw allows privilege escalation


Windows SMBGhost flaw allows privilege escalation

Last month Microsoft has released a Windows patch for a security vulnerability (CVE-2020-0796) affecting Microsoft Server Message Block (SMB) protocol. The bug, dubbed SMBGhost or EternalDarkness, could allow an attacker to remotely execute malicious code on vulnerable computers.

The issue is a pre-remote code execution flaw that resides in the Server Message Block 3.0 (SMBv3) network communication protocol. It affects devices running Windows 10, version 1903 and 1909, and Windows Server Server Core installations, versions 1903 and 1909. Earlier versions of Windows are not affected by this vulnerability.

According to cybersecurity firm Kryptos Logic, there are around 48,000 internet-connected servers vulnerable to attacks exploiting the CVE-2020-0796 flaw.

Multiple researchers have already made public tools that can be used to scan for vulnerable servers, and created proof-of-concept (PoC) exploits that can result in a DoS condition. Now security experts from the cybersecurity firm ZecOps have published PoC code to demonstrate that this vulnerability can be exploited to escalate privileges to SYSTEM.

“The bug is an integer overflow bug that happens in the Srv2DecompressData function in the srv2.sys SMB server driver. We managed to demonstrate that the CVE-2020-0796 vulnerability can be exploited for local privilege escalation. Note that our exploit is limited for medium integrity level, since it relies on API calls that are unavailable in a lower integrity level,” the researchers wrote.

The experts also added that they have not yet been able to find a way to trigger remote code execution. Technical details for local privilege escalation are provided in ZecOps write-up here.

Back to the list

Latest Posts

Vulnerability summary for the week: May 29, 2020

Vulnerability summary for the week: May 29, 2020

Weekly vulnerability digest.
29 May 2020
Japan defense data may have leaked after cyber attack on Japanese telecommunications giant NTT

Japan defense data may have leaked after cyber attack on Japanese telecommunications giant NTT

NTT Communications said hackers gained access to its internal network and stole information on 621 customers.
29 May 2020
Sandworm hacking group exploiting Exim flaw since at least 2019

Sandworm hacking group exploiting Exim flaw since at least 2019

The NSA is urging system administrators to update Exim by installing version 4.93 or newer to mitigate the vulnerability.
29 May 2020