CVE-2020-1206 | Windows SMBv3ÐÅÏ¢×ß©Îó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-06-12

0x00 Îó²î¸ÅÊö


CVE   ID

CVE-2020-1206

ʱ    ¼ä

2020-06-12

Àà    ÐÍ

II

µÈ    ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


0x01 Îó²îÏêÇé


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾



΢ÈíÓÚÖܶþÐû²¼ÁË6ÔÂÇå¾²¸üв¹¶¡£¬£¬£¬£¬£¬£¬£¬ÐÞ¸´ÁË129¸öÎó²î¡£¡£¡£¡£¡£ÆäÖаüÀ¨Ò»¸öWindows SMBv3 ¿Í»§¶Ë/ЧÀÍÆ÷ÐÅÏ¢×ß©Îó²î£¨CVE-2020-1206£©,Ñо¿Ö°Ô±½«ÆäÃüÃûΪSMBleed¡£¡£¡£¡£¡£¸ÃÎó²îλÓÚSMBµÄ½âѹËõº¯ÊýÖУ¬£¬£¬£¬£¬£¬£¬ÓëSMBGhost»òEternalDarknessÎó²î(CVE-2020-0796)λÓÚͳһº¯ÊýÖУ¬£¬£¬£¬£¬£¬£¬¹¥»÷ÕßʹÓøÃÎó²îÎÞÐèÉí·ÝÑéÖ¤¼´¿ÉÔ¶³Ì×ß©ÄÚºËÄÚ´æÐÅÏ¢£¬£¬£¬£¬£¬£¬£¬ÈôÊÇÓë֮ǰ±¬³öµÄCVE-2020-0796Îó²îÁ¬Ïµ£¬£¬£¬£¬£¬£¬£¬¿ÉÒÔʵÏÖÔ¶³Ì´úÂëÖ´ÐС£¡£¡£¡£¡£

ҪʹÓÃÕë¶ÔЧÀÍÆ÷µÄÎó²î£¬£¬£¬£¬£¬£¬£¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß¿ÉÒÔ½«ÌØÖÆÊý¾Ý°ü·¢Ë͵½Ä¿µÄ SMBv3 ЧÀÍÆ÷¡£¡£¡£¡£¡£ÒªÊ¹ÓÃÕë¶Ô¿Í»§¶ËµÄÎó²î£¬£¬£¬£¬£¬£¬£¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß½«ÐèÒªÉèÖöñÒâµÄ SMBv3 ЧÀÍÆ÷£¬£¬£¬£¬£¬£¬£¬²¢Ëµ·þÓû§ÅþÁ¬µ½¸ÃЧÀÍÆ÷¡£¡£¡£¡£¡£ÓÉÓÚSMBµÄ½âѹËõº¯ÊýSrv2DecompressData ÔÚ´¦Öóͷ£·¢Ë͸øÄ¿µÄSMBv3 ЧÀÍÆ÷ÐÂÎÅÇëÇóʱ±£´æÎÊÌ⣬£¬£¬£¬£¬£¬£¬´Ó¶øʹ¹¥»÷Õß¿ÉÒÔ¶Áȡδ³õʼ»¯µÄÄÚºËÄÚ´æ²¢ÐÞ¸ÄѹËõ¹¦Ð§¡£¡£¡£¡£¡£


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾



¹ØÓÚÎó²îʹÓõÄPoC£¬£¬£¬£¬£¬£¬£¬²Î¿¼Á´½ÓÈçÏÂ:

SMBleed POC£ºhttps://github.com/ZecOps/CVE-2020-1206-POC¡£¡£¡£¡£¡£

SMBleedÓëSMBGhostÁ¬ÏµµÄPOC: https://github.com/ZecOps/CVE-2020-0796-RCE-POC¡£¡£¡£¡£¡£


0x02 Ó°Ïì¹æÄ£


ÒÔÏÂÊÇCVE-2020-1206Îó²îÊÜÓ°ÏìµÄϵͳ°æ±¾£º

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows Server, version 1909 (Server Core installation)

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows Server, version 1903 (Server Core installation)

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server, version 2004 (Server Core installation)


0x03 ´¦Öóͷ£½¨Òé


΢ÈíÒѾ­Ðû²¼²¹¶¡¸üУ¬£¬£¬£¬£¬£¬£¬ÏÂÔØÁ´½Ó£º

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1206

½ûÓà SMBv3 ѹËõ

Äú¿ÉÒÔʹÓÃÒÔÏ PowerShell ÏÂÁî½ûÓÃѹËõ¹¦Ð§£¬£¬£¬£¬£¬£¬£¬ÒÔ×èֹδ¾­Éí·ÝÑéÖ¤µÄ¹¥»÷ÕßʹÓÃSMBv3ЧÀÍÆ÷µÄÎó²î¡£¡£¡£¡£¡£

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

×¢ÖØ£º

1. ¾ÙÐиü¸Äºó£¬£¬£¬£¬£¬£¬£¬ÎÞÐèÖØÆô¡£¡£¡£¡£¡£

2. ´Ë½â¾öÒªÁì²»¿É×èֹʹÓà SMB ¿Í»§¶Ë£»£»£»£»±£»£»£»£»¤¿Í»§¶ËÇë²Î¿¼ÒÔÏÂÁ´½Ó£º

https://support.microsoft.com/zh-cn/help/3185535/preventing-smb-traffic-from-lateral-connections

3. Windows »ò Windows Server ÉÐδʹÓà SMB ѹËõ£¬£¬£¬£¬£¬£¬£¬²¢ÇÒ½ûÓà SMB ѹËõ²»»á±¬·¢¸ºÃæµÄÐÔÄÜÓ°Ïì¡£¡£¡£¡£¡£

Äã¿ÉÒÔʹÓÃÏÂÃæµÄ PowerShell ÏÂÁî½ûÓøñäͨҪÁì¡£¡£¡£¡£¡£

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

×¢ÖØ£º½ûÓô˽â¾öÒªÁìºó£¬£¬£¬£¬£¬£¬£¬ÎÞÐèÖØÆô¡£¡£¡£¡£¡£


0x04 Ïà¹ØÐÂÎÅ


https://securityaffairs.co/wordpress/104584/hacking/microsoft-vulnerability-smbleed.html?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-vulnerability-smbleed


0x05 ²Î¿¼Á´½Ó


https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1206

https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/


0x06 ʱ¼äÏß


2020-06-09 ΢Èí¸üÐÂÎó²î²¹¶¡

2020-06-12 VSRCÐû²¼Îó²îͨ¸æ


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾