CVE-2020-1206 | Windows SMBv3ÐÅÏ¢×ß©Îó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-06-12

0x00 Îó²î¸ÅÊö


CVE   ID

CVE-2020-1206

ʱ    ¼ä

2020-06-12

Àà    ÐÍ

II

µÈ    ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


0x01 Îó²îÏêÇé


ÈËÉú¾ÍÊDz©-×ðÁú¿­Ê±Öйú¹ÙÍø



΢ÈíÓÚÖܶþÐû²¼ÁË6ÔÂÇå¾²¸üв¹¶¡£¬£¬£¬£¬ÐÞ¸´ÁË129¸öÎó²î¡£¡£ ¡£ÆäÖаüÀ¨Ò»¸öWindows SMBv3 ¿Í»§¶Ë/ЧÀÍÆ÷ÐÅÏ¢×ß©Îó²î£¨CVE-2020-1206£©,Ñо¿Ö°Ô±½«ÆäÃüÃûΪSMBleed¡£¡£ ¡£¸ÃÎó²îλÓÚSMBµÄ½âѹËõº¯ÊýÖУ¬£¬£¬£¬ÓëSMBGhost»òEternalDarknessÎó²î(CVE-2020-0796)λÓÚͳһº¯ÊýÖУ¬£¬£¬£¬¹¥»÷ÕßʹÓøÃÎó²îÎÞÐèÉí·ÝÑéÖ¤¼´¿ÉÔ¶³Ì×ß©ÄÚºËÄÚ´æÐÅÏ¢£¬£¬£¬£¬ÈôÊÇÓë֮ǰ±¬³öµÄCVE-2020-0796Îó²îÁ¬Ïµ£¬£¬£¬£¬¿ÉÒÔʵÏÖÔ¶³Ì´úÂëÖ´ÐС£¡£ ¡£

ҪʹÓÃÕë¶ÔЧÀÍÆ÷µÄÎó²î£¬£¬£¬£¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß¿ÉÒÔ½«ÌØÖÆÊý¾Ý°ü·¢Ë͵½Ä¿µÄ SMBv3 ЧÀÍÆ÷¡£¡£ ¡£ÒªÊ¹ÓÃÕë¶Ô¿Í»§¶ËµÄÎó²î£¬£¬£¬£¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß½«ÐèÒªÉèÖöñÒâµÄ SMBv3 ЧÀÍÆ÷£¬£¬£¬£¬²¢Ëµ·þÓû§ÅþÁ¬µ½¸ÃЧÀÍÆ÷¡£¡£ ¡£ÓÉÓÚSMBµÄ½âѹËõº¯ÊýSrv2DecompressData ÔÚ´¦Öóͷ£·¢Ë͸øÄ¿µÄSMBv3 ЧÀÍÆ÷ÐÂÎÅÇëÇóʱ±£´æÎÊÌ⣬£¬£¬£¬´Ó¶øʹ¹¥»÷Õß¿ÉÒÔ¶Áȡδ³õʼ»¯µÄÄÚºËÄÚ´æ²¢ÐÞ¸ÄѹËõ¹¦Ð§¡£¡£ ¡£


ÈËÉú¾ÍÊDz©-×ðÁú¿­Ê±Öйú¹ÙÍø



¹ØÓÚÎó²îʹÓõÄPoC£¬£¬£¬£¬²Î¿¼Á´½ÓÈçÏÂ:

SMBleed POC£ºhttps://github.com/ZecOps/CVE-2020-1206-POC¡£¡£ ¡£

SMBleedÓëSMBGhostÁ¬ÏµµÄPOC: https://github.com/ZecOps/CVE-2020-0796-RCE-POC¡£¡£ ¡£


0x02 Ó°Ïì¹æÄ£


ÒÔÏÂÊÇCVE-2020-1206Îó²îÊÜÓ°ÏìµÄϵͳ°æ±¾£º

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows Server, version 1909 (Server Core installation)

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows Server, version 1903 (Server Core installation)

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server, version 2004 (Server Core installation)


0x03 ´¦Öóͷ£½¨Òé


΢ÈíÒѾ­Ðû²¼²¹¶¡¸üУ¬£¬£¬£¬ÏÂÔØÁ´½Ó£º

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1206

½ûÓà SMBv3 ѹËõ

Äú¿ÉÒÔʹÓÃÒÔÏ PowerShell ÏÂÁî½ûÓÃѹËõ¹¦Ð§£¬£¬£¬£¬ÒÔ×èֹδ¾­Éí·ÝÑéÖ¤µÄ¹¥»÷ÕßʹÓÃSMBv3ЧÀÍÆ÷µÄÎó²î¡£¡£ ¡£

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

×¢ÖØ£º

1. ¾ÙÐиü¸Äºó£¬£¬£¬£¬ÎÞÐèÖØÆô¡£¡£ ¡£

2. ´Ë½â¾öÒªÁì²»¿É×èֹʹÓà SMB ¿Í»§¶Ë£»£»£»£»£»±£»£»£»£»£»¤¿Í»§¶ËÇë²Î¿¼ÒÔÏÂÁ´½Ó£º

https://support.microsoft.com/zh-cn/help/3185535/preventing-smb-traffic-from-lateral-connections

3. Windows »ò Windows Server ÉÐδʹÓà SMB ѹËõ£¬£¬£¬£¬²¢ÇÒ½ûÓà SMB ѹËõ²»»á±¬·¢¸ºÃæµÄÐÔÄÜÓ°Ïì¡£¡£ ¡£

Äã¿ÉÒÔʹÓÃÏÂÃæµÄ PowerShell ÏÂÁî½ûÓøñäͨҪÁì¡£¡£ ¡£

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

×¢ÖØ£º½ûÓô˽â¾öÒªÁìºó£¬£¬£¬£¬ÎÞÐèÖØÆô¡£¡£ ¡£


0x04 Ïà¹ØÐÂÎÅ


https://securityaffairs.co/wordpress/104584/hacking/microsoft-vulnerability-smbleed.html?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-vulnerability-smbleed


0x05 ²Î¿¼Á´½Ó


https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1206

https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/


0x06 ʱ¼äÏß


2020-06-09 ΢Èí¸üÐÂÎó²î²¹¶¡

2020-06-12 VSRCÐû²¼Îó²îͨ¸æ


ÈËÉú¾ÍÊDz©-×ðÁú¿­Ê±Öйú¹ÙÍø