Last month Microsoft has released a Windows patch for a security vulnerability (CVE-2020-0796) affecting Microsoft Server Message Block (SMB) protocol. The bug, dubbed SMBGhost or EternalDarkness, could allow an attacker to remotely execute malicious code on vulnerable computers.
The issue is a pre-remote code execution flaw that resides in the Server Message Block 3.0 (SMBv3) network communication protocol. It affects devices running Windows 10, version 1903 and 1909, and Windows Server Server Core installations, versions 1903 and 1909. Earlier versions of Windows are not affected by this vulnerability.
According to cybersecurity firm Kryptos Logic, there are around 48,000 internet-connected servers vulnerable to attacks exploiting the CVE-2020-0796 flaw.
Multiple researchers have already made public tools that can be used to scan for vulnerable servers, and created proof-of-concept (PoC) exploits that can result in a DoS condition. Now security experts from the cybersecurity firm ZecOps have published PoC code to demonstrate that this vulnerability can be exploited to escalate privileges to SYSTEM.
“The bug is an integer overflow bug that happens in the Srv2DecompressData function in the srv2.sys SMB server driver. We managed to demonstrate that the CVE-2020-0796 vulnerability can be exploited for local privilege escalation. Note that our exploit is limited for medium integrity level, since it relies on API calls that are unavailable in a lower integrity level,” the researchers wrote.
The experts also added that they have not yet been able to find a way to trigger remote code execution. Technical details for local privilege escalation are provided in ZecOps write-up here.