FortiGuard Labs Threat Analysis Report
Affected platforms: Windows 10
Impacted parties: All Windows users
Impact: An unauthenticated attacker can exploit this wormable vulnerability to cause memory corruption, which may lead to remote code execution.
Severity level: High
Solution: All Windows 10 users are urged to apply the patch for CVE-2020-0796
Microsoft recently released a patch for CVE-2020-0796, a critical SMB server vulnerability that affects Windows 10. An unauthenticated attacker can exploit this vulnerability to cause memory corruption, which may lead to remote code execution.
This SMB vulnerability also has the potential to be exploited by worms to spread quickly. In 2017, the WannaCry ransomware exploited SMB server vulnerability CVE-2017-0144, infecting over 200,000 computers and causing billions of dollars in total damages. We urge everyone to patch their Windows 10 computers as soon as possible.
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows Server, version 1909 (Server Core installation)
FortiGuard Labs performed an analysis of this vulnerability on Windows 10 x64 version 1903. This blog post explains how a compressed data packet with a malformed header can cause an integer overflow in the SMB server. This overflow results in the kernel allocating a buffer that's far too small to hold the decompressed data, which leads to memory corruption.
There is an integer overflow bug in the Srv2DecompressData function in srv2.sys. This vulnerability can be triggered when the SMB server receives a malformed SMB2_Compression_Transform_Header.
In our test, we created a malformed SMB2_Compression_Transform_Header that has an 0xFFFFFFFF (4294967295) OriginalSize/OriginalCompressedSegmentSize with an 0x64 (100) Offset. The data was compressed using the plain LZ77 algorithm.
The above screenshot shows where the integer overflow occurs in the Srv2DecompressData function in srv2.sys. This function creates a buffer that holds the decompressed data. The function computes the buffer size by adding the “OriginalSize” to the “Offset”, which can cause an integer overflow in the ECX register. Once it has calculated the buffer size, it passes the size to the SrvNetAllocateBuffer function to allocate the buffer.
In the example above, EAX (the lower 8 bytes of RAX) holds the OriginalSize 0xFFFFFFFF and ECX (the lower 8 bytes of RCX) holds the Offset 0x64. The buffer size was calculated as 0xFFFFFFFF + 0x64, which overflowed to 0x63. The function then called SrvNetAllocateBuffer to allocate the buffer at size 0x63 (99) bytes. This overflow caused the kernel to allocate a buffer that was much smaller than intended.
Later, the kernel called the RtlDecompressBufferXpressLz function to decompress the LZ77 data. The above screenshot showed that the kernel used the “rep movs” instruction to copy 0x15f8f (89999) bytes of data into the buffer with a size that was previously allocated at 0x63 (99) bytes. This overflowed the small buffer, which caused memory corruption and the kernel to crash.
In this blog post, we attempted to explain the root cause of the CVE-2020-0796 vulnerability. This SMB memory corruption vulnerability is extremely severe, for there is a possibility that worms might be able to exploit this to infect and spread through a network, similar to how the WannaCry ransomware exploited the SMB server vulnerability in 2017. It is very important that users apply the Windows 10 patch.
Customers are urged to apply the latest patch from Microsoft for CVE-2020-0796 for Windows 10.
Customers can use IPS signature “MS.SMB.Server.Compression.Transform.Header.Memory.Corruption” to detect attacks that exploit this vulnerability.