CVE-2020-1206 | Windows SMBv3ÐÅϢй©·ì϶¹«¸æ

°ä²¼¹¦·ò 2020-06-12

0x00 ·ì϶¸ÅÊö


CVE   ID

CVE-2020-1206

ʱ    ¼ä

2020-06-12

Àà    ÐÍ

II

µÈ    ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò


0x01 ·ì϶ÏêÇé


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾



΢ÈíÓÚÖܶþ°ä²¼ÁË6Ô°²È«¸üв¹¶¡ £¬½¨¸´ÁË129¸ö·ì϶¡£ÆäÖÐÔ̺¬Ò»¸öWindows SMBv3 ¿Í»§¶Ë/·þÎñÆ÷ÐÅϢй©·ì϶£¨CVE-2020-1206£©,×êÑÐÈËÔ±½«Æ䶨ÃûΪSMBleed¡£¸Ã·ì϶λÓÚSMBµÄ½âѹËõº¯ÊýÖÐ £¬ÓëSMBGhost»òEternalDarkness·ì϶(CVE-2020-0796)λÓÚͳһº¯ÊýÖÐ £¬¹¥»÷ÕßÀûÓø÷ì϶ÎÞÐèÉí·ÝÑéÖ¤¼´¿ÉÔ¶³Ìй©ÄÚºËÄÚ´æÐÅÏ¢ £¬ÈôÊÇÓë֮ǰ±¬³öµÄCVE-2020-0796·ì϶½áºÏ £¬Äܹ»ÊµÏÖÔ¶³Ì´úÂëÖ´ÐС£

ÒªÀûÓÃÕë¶Ô·þÎñÆ÷µÄ·ì϶ £¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷ÕßÄܹ»½«ÌØÔìÊý¾Ý°ü·¢Ë͵½Ö¸±ê SMBv3 ·þÎñÆ÷¡£ÒªÀûÓÃÕë¶Ô¿Í»§¶ËµÄ·ì϶ £¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß½«±ØÒªÅäÖöñÒâµÄ SMBv3 ·þÎñÆ÷ £¬²¢Ëµ·þÓû§Ïνӵ½¸Ã·þÎñÆ÷¡£ÓÉÓÚSMBµÄ½âѹËõº¯ÊýSrv2DecompressData ÔÚ´¦Ö÷¢Ë͸øÖ¸±êSMBv3 ·þÎñÆ÷ÐÂÎÅÒªÇóʱ´æÔÚÎÊÌâ £¬´Ó¶øʹ¹¥»÷ÕßÄܹ»¶Áȡδ³õʼ»¯µÄÄÚºËÄÚ´æ²¢Åú¸ÄѹËõÖ°ÄÜ¡£


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾



¹ØÓÚ·ì϶ÀûÓõÄPoC £¬²Î¿¼Á´½ÓÈçÏÂ:

SMBleed POC£ºhttps://github.com/ZecOps/CVE-2020-1206-POC¡£

SMBleedÓëSMBGhost½áºÏµÄPOC: https://github.com/ZecOps/CVE-2020-0796-RCE-POC¡£


0x02 Ó°ÏìÁìÓò


ÒÔÏÂÊÇCVE-2020-1206·ì϶ÊÜÓ°ÏìµÄϵͳ°æ±¾£º

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows Server, version 1909 (Server Core installation)

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows Server, version 1903 (Server Core installation)

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server, version 2004 (Server Core installation)


0x03 ´ëÖý¨Òé


΢ÈíÒѾ­°ä²¼²¹¶¡¸üР£¬ÏÂÔØÁ´½Ó£º

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1206

½ûÓà SMBv3 ѹËõ

ÄúÄܹ»Ê¹ÓÃÒÔÏ PowerShell ºÅÁî½ûÓÃѹËõÖ°ÄÜ £¬ÒÔ×èֹδ¾­Éí·ÝÑéÖ¤µÄ¹¥»÷ÕßÀûÓÃSMBv3·þÎñÆ÷µÄ·ì϶¡£

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

°ÑÎÈ£º

1. ½øÐиü¸Äºó £¬ÎÞÐè³ÁÆô¡£

2. ´Ë½â¾ö²½Öè²»ÄÜ×èÖ¹ÀûÓà SMB ¿Í»§¶Ë£»±£»¤¿Í»§¶ËÇë²Î¿¼ÒÔÏÂÁ´½Ó£º

https://support.microsoft.com/zh-cn/help/3185535/preventing-smb-traffic-from-lateral-connections

3. Windows »ò Windows Server ÉÐδʹÓà SMB ѹËõ £¬²¢ÇÒ½ûÓà SMB ѹËõ²»»á²úÉú¸ºÃæµÄ»úÄÜÓ°Ïì¡£

ÄãÄܹ»Ê¹ÓÃÏÂÃæµÄ PowerShell ºÅÁî½ûÓøñäͨ²½Öè¡£

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

°ÑÎÈ£º½ûÓô˽â¾ö²½Öèºó £¬ÎÞÐè³ÁÆô¡£


0x04 ÓйØÐÂÎÅ


https://securityaffairs.co/wordpress/104584/hacking/microsoft-vulnerability-smbleed.html?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-vulnerability-smbleed


0x05 ²Î¿¼Á´½Ó


https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1206

https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/


0x06 ¹¦·òÏß


2020-06-09 ΢Èí¸üзì϶²¹¶¡

2020-06-12 VSRC°ä²¼·ì϶¹«¸æ


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾