Win-SMBGhost-RCE漏洞检测防御
Win-SMBGhost-RCE漏洞检测防御
洛米唯熊
发布于 2020-03-16 17:49:18
发布于 2020-03-16 17:49:18
代码可运行
运行总次数:0
代码可运行
0x00: 简介
(CVE-2020-0796 SMBGhost)该漏洞是由于SMBv3协议在处理恶意的压缩数据包时出错所造成的,它可让远程且未经身份验证的攻击者在目标系统上执行任意代码。
漏洞发生在srv2.sys中,由于SMB没有正确处理压缩的数据包,在解压数据包的时候使用客户端传过来的长度进行解压时,并没有检查长度是否合法.最终导致整数溢出.
360Vulcan Team漏洞原理分析文章
http://blogs.360.cn/post/CVE-2020-0796.html
0x01:检测
Python脚本
import socket
import struct
import sys
from netaddr import IPNetwork
pkt = b'\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'
subnet = sys.argv[1]
for ip in IPNetwork(subnet):
sock = socket.socket(socket.AF_INET)
sock.settimeout(3)
try:
sock.connect(( str(ip), 445 ))
except:
sock.close()
continue
sock.send(pkt)
nb, = struct.unpack(">I", sock.recv(4))
res = sock.recv(nb)
if res[68:70] != b"\x11\x03" or res[70:72] != b"\x02\x00":
print(f"{ip} Not vulnerable.")
else:
print(f"{ip} Vulnerable")Referer:
https://github.com/ollypwn/SMBGhost/blob/master/scanner.py
Nnmap检测脚本(nse脚本)
local smb = require "smb"
local nmap = require "nmap"
local vulns = require "vulns"
description = [[
Microsoft SMBv3 contains a vulnerability in the handling of compression, which may allow a remote,
unauthenticated attacker to execute arbitrary code on a vulnerable system.
Microsoft Server Message Block 3.1.1 (SMBv3) contains a vulnerability in the way that it handles connections that use compression.
This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
It has been reported that this vulnerability is "wormable."
By connecting to a vulnerable Windows machine using SMBv3, or by causing a vulnerable Windows system to initiate a client connection to a SMBv3 server,
a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
we're wating
]]
author = "Hossam Mohamed"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery"}
hostrule = function(host)
return smb.get_port(host) ~= nil
end
action = function(host,port)
local status, supported_dialects, overrides
overrides = {}
status, supported_dialects = smb.list_dialects(host, overrides)
local vuln_status, err
local vuln = {
title = "Microsoft SMBv3 compression remote code execution vulnerability",
IDS = {CVE = 'CVE-2020-0796'},
risk_factor = "HIGH",
description = [[
Microsoft SMBv3 contains a vulnerability in the handling of compression, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
]],
references = {
'https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005'
},
dates = {
disclosure = {year = '2020', month = '03', day = '11'},
}
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
vuln.state = vulns.STATE.NOT_VULN
if status then
for i, v in pairs(supported_dialects) do -- Mark SMBv1 as insecure
if v == "3.11" then
vuln.state = vulns.STATE.VULN
end
end
end
return report:make_output(vuln)
endReferer:
https://github.com/cyberstruggle/DeltaGroup/blob/master/CVE-2020-0796/CVE-2020-0796.nse
Powershell检测脚本
<#
.SYNOPSIS
Checks your SMBv3 Compression setting as mitigation for CVE-2020-0796, also known as SMBGhost.
.DESCRIPTION
This Powershell Script determines whether SMBv3 Compression is enabled or not. As mitigation on the CVE-2020-0796, the SMBv3 compression should be disabled. This script can disable SMBv3 for you automatically.
Script is also checking if the CVE-2020-0976 is applicable to your Windows version and whether the Windows Update KB4551762 is installed or not.
.EXAMPLE
PS C:\> .\CVE-2020-0796-Smbv3-checker.ps1
.NOTES
Created by: T13nn3s
Date: 11-03-2020
Check my blog: https://binsec.nl
Last update: 12-03-2020
#>
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
function CheckWindowsVersion {
Write-Host "[*] Checking Windows Version..."
$WindowsVersion = Get-ComputerInfo | Select-Object -ExpandProperty WindowsVersion
Write-Host "Windows version $WindowsVersion found."
if ($WindowsVersion -eq 1903) {
Write-Host "CVE-2020-0976 is applicable to your Windows Version."
}
Elseif ($WindowsVersion -eq 1909) {
Write-Host "CVE-2020-0976 is applicable to your Windows Version."
}
Else {
Write-Host "CVE-2020-0976 is not applicable to your Windows Version." -ForegroundColor Green
pause
return
}
}
function CheckIfUpdateIsInstalled {
Write-Host "[*] Check if KB4551762 is installed..."
$fix = Get-HotFix -Id KB4551762 -ErrorAction SilentlyContinue
if($fix) {
Write-Host "[+] *** Windows Update $($fix.HotFixID) is installed on $($fix.InstalledOn). You're not vulnerable ***"
return
} Else {
Write-Host "[-] Windows Update $($kb) is not installed."
}
}
function Get-Menu {
param (
[string]$title = "Mitigation for CVE-2020-0796 (CoronaBlue)"
)
Write-Host "================ $title ================"
Write-Host "1: Press '1' for check your current SMBv3 Compression setting"
Write-Host "2: Press '2' to disable SMBv3 Compression <= This is the mitigation for CVE-2020-0796"
Write-Host "3: Press '3' Enable SMBv3 Compression"
Write-Host "Q: Press 'Q' to quit."
} # End function Get-Menu
function CheckRegSmbv3Compression {
param (
[string]$reg = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
)
$check = Get-ItemProperty -Path $reg -Name "DisableCompression" -ErrorAction SilentlyContinue
if ($check -eq $null) {
Write-Host "SMBv3 Compression is not configued. SMBv3 Compression is set to enabled by default."
Write-Host "You're vulnerable" -f yellow
}
Elseif ($check.DisableCompression -eq 0) {
Write-Host "SMBv3 Compression is set to enabled."
}
Elseif ($check.DisableCompression -eq 1) {
Write-Host "SMBv3 Compression is disabled."
}
} # End function CheckRegSmbv3Compression
function SetkRegSmbv3Compression {
param (
[string]$reg = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters",
[string]$value
)
try {
Set-ItemProperty -Path $reg DisableCompression -Type DWORD -Value $value -Force
}
Catch {
$err = $_.Exception.Message
Write-Error $err
}
CheckRegSmbv3Compression
} #End function SetRegSmbv3Compression
CheckWindowsVersion
CheckIfUpdateIsInstalled
Do {
Get-Menu
$input = Read-Host "Please make a selection"
switch ($input) {
'1' {
Write-Host 'You chose option #1'
CheckRegSmbv3Compression
} '2' {
Write-Host 'You chose option #2'
SetkRegSmbv3Compression -value 1
} '3' {
Write-Host 'You chose option #3'
SetkRegSmbv3Compression -value 0
} 'Q' {
return
}
}
pause
}
until ($input -eq 'q')Referer:
https://github.com/T13nn3s/CVE-2020-0976/blob/master/CVE-2020-0796-Smbv3-checker.ps1
举个检测栗子
0x02:预防
1、20103.3.13微软出补丁
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
在蠕虫来临之际,请尽快打补丁.
2、你可以使用以下PowerShell命令禁用SMBv3服务的压缩(无需重新启动):
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
此外你还可以通过禁止SMB的流量流向外网来防御攻击。
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2020-03-13,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
