Researchers from Ricerca Security have developed and demonstrated a proof-of-concept remote code execution (RCE) exploit for the Windows 10 CVE-2020-0796 'wormable' pre-auth remote code execution vulnerability, better known as SMBGhost.
CVE-2020-0796 is a pre-remote code execution flaw that resides in the Server Message Block 3.0 (SMBv3) network communication protocol. The bug, which Microsoft addressed in March, could allow an attacker to remotely execute malicious code on vulnerable computers. The flaw affects devices running Windows 10, version 1903 and 1909, and Windows Server Server Core installations, versions 1903 and 1909.
Multiple researchers have already made public tools that can be used to scan for vulnerable servers, and created proof-of-concept (PoC) exploits that can result in a DoS condition, or could be used to escalate privileges to SYSTEM.
“While there have already been many public reports and PoCs of LPE (Local Privilege Escalation), none of them have shown that RCE is actually possible so far. This is probably because remote kernel exploitation is very different from local exploitation in that an attacker can't utilize useful OS functions such as creating userland processes, referring to PEB, and issuing system calls. Accompanied with mitigations introduced in Windows 10, this limitation makes the achievement of RCE much more challenging,” Ricerca Security researchers explained in a technical write-up explaining how their PoC RCE exploit works.
However, researchers decided not to share their proof-of-concept code with the public to prevent its use for nefarious purposes.
“We have decided to make our PoC exclusively available to our customers to avoid abuse by script kiddies or cybercriminals,” the researchers said.