CVE-2020-1206 | Windows SMBv3ÐÅÏ¢×ß©Îó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-06-12

0x00 Îó²î¸ÅÊö


CVE   ID

CVE-2020-1206

ʱ    ¼ä

2020-06-12

Àà    ÐÍ

II

µÈ    ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


0x01 Îó²îÏêÇé


ÍòÀû¹ú¼Ê¹ÙÍø(ÖйúÓÎ)ÓÐÏÞ¹«Ë¾



΢ÈíÓÚÖܶþÐû²¼ÁË6ÔÂÇå¾²¸üв¹¶¡£¬£¬£¬£¬£¬£¬£¬£¬ÐÞ¸´ÁË129¸öÎó²î¡£¡£¡£¡£ÆäÖаüÀ¨Ò»¸öWindows SMBv3 ¿Í»§¶Ë/ЧÀÍÆ÷ÐÅÏ¢×ß©Îó²î£¨CVE-2020-1206£©,Ñо¿Ö°Ô±½«ÆäÃüÃûΪSMBleed¡£¡£¡£¡£¸ÃÎó²îλÓÚSMBµÄ½âѹËõº¯ÊýÖУ¬£¬£¬£¬£¬£¬£¬£¬ÓëSMBGhost»òEternalDarknessÎó²î(CVE-2020-0796)λÓÚͳһº¯ÊýÖУ¬£¬£¬£¬£¬£¬£¬£¬¹¥»÷ÕßʹÓøÃÎó²îÎÞÐèÉí·ÝÑéÖ¤¼´¿ÉÔ¶³Ì×ß©ÄÚºËÄÚ´æÐÅÏ¢£¬£¬£¬£¬£¬£¬£¬£¬ÈôÊÇÓë֮ǰ±¬³öµÄCVE-2020-0796Îó²îÁ¬Ïµ£¬£¬£¬£¬£¬£¬£¬£¬¿ÉÒÔʵÏÖÔ¶³Ì´úÂëÖ´ÐС£¡£¡£¡£

ҪʹÓÃÕë¶ÔЧÀÍÆ÷µÄÎó²î£¬£¬£¬£¬£¬£¬£¬£¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß¿ÉÒÔ½«ÌØÖÆÊý¾Ý°ü·¢Ë͵½Ä¿µÄ SMBv3 ЧÀÍÆ÷¡£¡£¡£¡£ÒªÊ¹ÓÃÕë¶Ô¿Í»§¶ËµÄÎó²î£¬£¬£¬£¬£¬£¬£¬£¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß½«ÐèÒªÉèÖöñÒâµÄ SMBv3 ЧÀÍÆ÷£¬£¬£¬£¬£¬£¬£¬£¬²¢Ëµ·þÓû§ÅþÁ¬µ½¸ÃЧÀÍÆ÷¡£¡£¡£¡£ÓÉÓÚSMBµÄ½âѹËõº¯ÊýSrv2DecompressData ÔÚ´¦Öóͷ£·¢Ë͸øÄ¿µÄSMBv3 ЧÀÍÆ÷ÐÂÎÅÇëÇóʱ±£´æÎÊÌ⣬£¬£¬£¬£¬£¬£¬£¬´Ó¶øʹ¹¥»÷Õß¿ÉÒÔ¶Áȡδ³õʼ»¯µÄÄÚºËÄÚ´æ²¢ÐÞ¸ÄѹËõ¹¦Ð§¡£¡£¡£¡£


ÍòÀû¹ú¼Ê¹ÙÍø(ÖйúÓÎ)ÓÐÏÞ¹«Ë¾



¹ØÓÚÎó²îʹÓõÄPoC£¬£¬£¬£¬£¬£¬£¬£¬²Î¿¼Á´½ÓÈçÏÂ:

SMBleed POC£ºhttps://github.com/ZecOps/CVE-2020-1206-POC¡£¡£¡£¡£

SMBleedÓëSMBGhostÁ¬ÏµµÄPOC: https://github.com/ZecOps/CVE-2020-0796-RCE-POC¡£¡£¡£¡£


0x02 Ó°Ïì¹æÄ£


ÒÔÏÂÊÇCVE-2020-1206Îó²îÊÜÓ°ÏìµÄϵͳ°æ±¾£º

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows Server, version 1909 (Server Core installation)

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows Server, version 1903 (Server Core installation)

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server, version 2004 (Server Core installation)


0x03 ´¦Öóͷ£½¨Òé


΢ÈíÒѾ­Ðû²¼²¹¶¡¸üУ¬£¬£¬£¬£¬£¬£¬£¬ÏÂÔØÁ´½Ó£º

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1206

½ûÓà SMBv3 ѹËõ

Äú¿ÉÒÔʹÓÃÒÔÏ PowerShell ÏÂÁî½ûÓÃѹËõ¹¦Ð§£¬£¬£¬£¬£¬£¬£¬£¬ÒÔ×èֹδ¾­Éí·ÝÑéÖ¤µÄ¹¥»÷ÕßʹÓÃSMBv3ЧÀÍÆ÷µÄÎó²î¡£¡£¡£¡£

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

×¢ÖØ£º

1. ¾ÙÐиü¸Äºó£¬£¬£¬£¬£¬£¬£¬£¬ÎÞÐèÖØÆô¡£¡£¡£¡£

2. ´Ë½â¾öÒªÁì²»¿É×èֹʹÓà SMB ¿Í»§¶Ë£»£»£»£» £»£»£»£»±£»£»£»£» £»£»£»£»¤¿Í»§¶ËÇë²Î¿¼ÒÔÏÂÁ´½Ó£º

https://support.microsoft.com/zh-cn/help/3185535/preventing-smb-traffic-from-lateral-connections

3. Windows »ò Windows Server ÉÐδʹÓà SMB ѹËõ£¬£¬£¬£¬£¬£¬£¬£¬²¢ÇÒ½ûÓà SMB ѹËõ²»»á±¬·¢¸ºÃæµÄÐÔÄÜÓ°Ïì¡£¡£¡£¡£

Äã¿ÉÒÔʹÓÃÏÂÃæµÄ PowerShell ÏÂÁî½ûÓøñäͨҪÁì¡£¡£¡£¡£

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

×¢ÖØ£º½ûÓô˽â¾öÒªÁìºó£¬£¬£¬£¬£¬£¬£¬£¬ÎÞÐèÖØÆô¡£¡£¡£¡£


0x04 Ïà¹ØÐÂÎÅ


https://securityaffairs.co/wordpress/104584/hacking/microsoft-vulnerability-smbleed.html?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-vulnerability-smbleed


0x05 ²Î¿¼Á´½Ó


https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1206

https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/


0x06 ʱ¼äÏß


2020-06-09 ΢Èí¸üÐÂÎó²î²¹¶¡

2020-06-12 VSRCÐû²¼Îó²îͨ¸æ


ÍòÀû¹ú¼Ê¹ÙÍø(ÖйúÓÎ)ÓÐÏÞ¹«Ë¾