Threat Research

CVE-2020-0796 Memory Corruption Vulnerability in Windows 10 SMB Server

By Yijie Wang | March 12, 2020

FortiGuard Labs Threat Analysis Report

 

Affected platforms:    Windows 10
Impacted parties:       All Windows users 
Impact:                       
An unauthenticated attacker can exploit this wormable vulnerability to cause memory corruption, which may                                      lead to remote code execution. 

Severity level:             High

Solution:                     All Windows 10 users are urged to apply the patch for CVE-2020-0796

Introduction

Microsoft recently released a patch for CVE-2020-0796, a critical SMB server vulnerability that affects Windows 10. An unauthenticated attacker can exploit this vulnerability to cause memory corruption, which may lead to remote code execution.

This SMB vulnerability also has the potential to be exploited by worms to spread quickly. In 2017, the WannaCry ransomware exploited SMB server vulnerability CVE-2017-0144, infecting over 200,000 computers and causing billions of dollars in total damages. We urge everyone to patch their Windows 10 computers as soon as possible.

Affected Versions

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows Server, version 1903 (Server Core installation)

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows Server, version 1909 (Server Core installation)

Overview

FortiGuard Labs performed an analysis of this vulnerability on Windows 10 x64 version 1903. This blog post explains how a compressed data packet with a malformed header can cause an integer overflow in the SMB server. This overflow results in the kernel allocating a buffer that's far too small to hold the decompressed data, which leads to memory corruption.

Technical Analysis

There is an integer overflow bug in the Srv2DecompressData function in srv2.sys. This vulnerability can be triggered when the SMB server receives a malformed SMB2_Compression_Transform_Header

Figure 1: Wireshark capture of a malformed SMB2_Compression_Transform_Header

In our test, we created a malformed SMB2_Compression_Transform_Header that has an 0xFFFFFFFF (4294967295) OriginalSize/OriginalCompressedSegmentSize with an 0x64 (100) Offset. The data was compressed using the plain LZ77 algorithm.

Figure 2: IDA screenshot. Large OriginalSize + Offset can trigger an integer overflow in the Srv2DecompressData function in srv2.sys

The above screenshot shows where the integer overflow occurs in the Srv2DecompressData function in srv2.sys. This function creates a buffer that holds the decompressed data. The function computes the buffer size by adding the “OriginalSize” to the “Offset”, which can cause an integer overflow in the ECX register. Once it has calculated the buffer size, it passes the size to the SrvNetAllocateBuffer function to allocate the buffer.

Figure 3: Windbg screenshot, before and after the integer overflow

In the example above, EAX (the lower 8 bytes of RAX) holds the OriginalSize 0xFFFFFFFF and ECX (the lower 8 bytes of RCX) holds the Offset 0x64. The buffer size was calculated as 0xFFFFFFFF + 0x64, which overflowed to 0x63. The function then called SrvNetAllocateBuffer to allocate the buffer at size 0x63 (99) bytes. This overflow caused the kernel to allocate a buffer that was much smaller than intended.

Figure 4: Windbg screenshot, decompress LZ77 data and buffer overflow in the RtlDecompressBufferXpressLz function in ntoskrnl.exe

Later, the kernel called the RtlDecompressBufferXpressLz function to decompress the LZ77 data. The above screenshot showed that the kernel used the “rep movs” instruction to copy 0x15f8f (89999) bytes of data into the buffer with a size that was previously allocated at 0x63 (99) bytes. This overflowed the small buffer, which caused memory corruption and the kernel to crash.

Conclusion

In this blog post, we attempted to explain the root cause of the CVE-2020-0796 vulnerability. This SMB memory corruption vulnerability is extremely severe, for there is a possibility that worms might be able to exploit this to infect and spread through a network, similar to how the WannaCry ransomware exploited the SMB server vulnerability in 2017. It is very important that users apply the Windows 10 patch.

Solution

Customers are urged to apply the latest patch from Microsoft for CVE-2020-0796 for Windows 10.

Customers can use IPS signature “MS.SMB.Server.Compression.Transform.Header.Memory.Corruption” to detect attacks that exploit this vulnerability.

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolioSign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert programNetwork Security Academy program, and FortiVet program.