CVE-2020-1206 | Windows SMBv3ÐÅÏ¢×ß©Îó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-06-12

0x00 Îó²î¸ÅÊö


CVE   ID

CVE-2020-1206

ʱ    ¼ä

2020-06-12

Àà    ÐÍ

II

µÈ    ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


0x01 Îó²îÏêÇé


¼øºÚµ£±£Íø(jhdbw)¡¤×î¾ßȨÍþΨһάȨµ£±£Æ½Ì¨



΢ÈíÓÚÖܶþÐû²¼ÁË6ÔÂÇå¾²¸üв¹¶¡£¬£¬£¬ÐÞ¸´ÁË129¸öÎó²î¡£¡£¡£¡£ ¡£¡£¡£ÆäÖаüÀ¨Ò»¸öWindows SMBv3 ¿Í»§¶Ë/ЧÀÍÆ÷ÐÅÏ¢×ß©Îó²î£¨CVE-2020-1206£©,Ñо¿Ö°Ô±½«ÆäÃüÃûΪSMBleed¡£¡£¡£¡£ ¡£¡£¡£¸ÃÎó²îλÓÚSMBµÄ½âѹËõº¯ÊýÖУ¬£¬£¬ÓëSMBGhost»òEternalDarknessÎó²î(CVE-2020-0796)λÓÚͳһº¯ÊýÖУ¬£¬£¬¹¥»÷ÕßʹÓøÃÎó²îÎÞÐèÉí·ÝÑéÖ¤¼´¿ÉÔ¶³Ì×ß©ÄÚºËÄÚ´æÐÅÏ¢£¬£¬£¬ÈôÊÇÓë֮ǰ±¬³öµÄCVE-2020-0796Îó²îÁ¬Ïµ£¬£¬£¬¿ÉÒÔʵÏÖÔ¶³Ì´úÂëÖ´ÐС£¡£¡£¡£ ¡£¡£¡£

ҪʹÓÃÕë¶ÔЧÀÍÆ÷µÄÎó²î£¬£¬£¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß¿ÉÒÔ½«ÌØÖÆÊý¾Ý°ü·¢Ë͵½Ä¿µÄ SMBv3 ЧÀÍÆ÷¡£¡£¡£¡£ ¡£¡£¡£ÒªÊ¹ÓÃÕë¶Ô¿Í»§¶ËµÄÎó²î£¬£¬£¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß½«ÐèÒªÉèÖöñÒâµÄ SMBv3 ЧÀÍÆ÷£¬£¬£¬²¢Ëµ·þÓû§ÅþÁ¬µ½¸ÃЧÀÍÆ÷¡£¡£¡£¡£ ¡£¡£¡£ÓÉÓÚSMBµÄ½âѹËõº¯ÊýSrv2DecompressData ÔÚ´¦Öóͷ£·¢Ë͸øÄ¿µÄSMBv3 ЧÀÍÆ÷ÐÂÎÅÇëÇóʱ±£´æÎÊÌ⣬£¬£¬´Ó¶øʹ¹¥»÷Õß¿ÉÒÔ¶Áȡδ³õʼ»¯µÄÄÚºËÄÚ´æ²¢ÐÞ¸ÄѹËõ¹¦Ð§¡£¡£¡£¡£ ¡£¡£¡£


¼øºÚµ£±£Íø(jhdbw)¡¤×î¾ßȨÍþΨһάȨµ£±£Æ½Ì¨



¹ØÓÚÎó²îʹÓõÄPoC£¬£¬£¬²Î¿¼Á´½ÓÈçÏÂ:

SMBleed POC£ºhttps://github.com/ZecOps/CVE-2020-1206-POC¡£¡£¡£¡£ ¡£¡£¡£

SMBleedÓëSMBGhostÁ¬ÏµµÄPOC: https://github.com/ZecOps/CVE-2020-0796-RCE-POC¡£¡£¡£¡£ ¡£¡£¡£


0x02 Ó°Ïì¹æÄ£


ÒÔÏÂÊÇCVE-2020-1206Îó²îÊÜÓ°ÏìµÄϵͳ°æ±¾£º

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows Server, version 1909 (Server Core installation)

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows Server, version 1903 (Server Core installation)

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server, version 2004 (Server Core installation)


0x03 ´¦Öóͷ£½¨Òé


΢ÈíÒѾ­Ðû²¼²¹¶¡¸üУ¬£¬£¬ÏÂÔØÁ´½Ó£º

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1206

½ûÓà SMBv3 ѹËõ

Äú¿ÉÒÔʹÓÃÒÔÏ PowerShell ÏÂÁî½ûÓÃѹËõ¹¦Ð§£¬£¬£¬ÒÔ×èֹδ¾­Éí·ÝÑéÖ¤µÄ¹¥»÷ÕßʹÓÃSMBv3ЧÀÍÆ÷µÄÎó²î¡£¡£¡£¡£ ¡£¡£¡£

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

×¢ÖØ£º

1. ¾ÙÐиü¸Äºó£¬£¬£¬ÎÞÐèÖØÆô¡£¡£¡£¡£ ¡£¡£¡£

2. ´Ë½â¾öÒªÁì²»¿É×èֹʹÓà SMB ¿Í»§¶Ë£»£»£»£»£»£»£»±£»£»£»£»£»£»£»¤¿Í»§¶ËÇë²Î¿¼ÒÔÏÂÁ´½Ó£º

https://support.microsoft.com/zh-cn/help/3185535/preventing-smb-traffic-from-lateral-connections

3. Windows »ò Windows Server ÉÐδʹÓà SMB ѹËõ£¬£¬£¬²¢ÇÒ½ûÓà SMB ѹËõ²»»á±¬·¢¸ºÃæµÄÐÔÄÜÓ°Ïì¡£¡£¡£¡£ ¡£¡£¡£

Äã¿ÉÒÔʹÓÃÏÂÃæµÄ PowerShell ÏÂÁî½ûÓøñäͨҪÁì¡£¡£¡£¡£ ¡£¡£¡£

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

×¢ÖØ£º½ûÓô˽â¾öÒªÁìºó£¬£¬£¬ÎÞÐèÖØÆô¡£¡£¡£¡£ ¡£¡£¡£


0x04 Ïà¹ØÐÂÎÅ


https://securityaffairs.co/wordpress/104584/hacking/microsoft-vulnerability-smbleed.html?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-vulnerability-smbleed


0x05 ²Î¿¼Á´½Ó


https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1206

https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/


0x06 ʱ¼äÏß


2020-06-09 ΢Èí¸üÐÂÎó²î²¹¶¡

2020-06-12 VSRCÐû²¼Îó²îͨ¸æ


¼øºÚµ£±£Íø(jhdbw)¡¤×î¾ßȨÍþΨһάȨµ£±£Æ½Ì¨