Read the original article: SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost
TL;DR
- While looking at the vulnerable function of SMBGhost, we discovered another vulnerability: SMBleed (CVE-2020-1206).
- SMBleed allows to leak kernel memory remotely.
- Combined with SMBGhost, which was patched three months ago, SMBleed allows to achieve pre-auth Remote Code Execution (RCE).
- POC #1: SMBleed remote kernel memory read: POC #1 Link
- POC #2: Pre-Auth RCE Combining SMBleed with SMBGhost: POC #2 Link
Introduction
The SMBGhost (CVE-2020-0796) bug in the compression mechanism of SMBv3.1.1 was fixed about three months ago.
Read the original article: SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost