SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost

Read the original article: SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost


SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost

TL;DR

  • While looking at the vulnerable function of SMBGhost, we discovered another vulnerability: SMBleed (CVE-2020-1206).
  • SMBleed allows to leak kernel memory remotely.
  • Combined with SMBGhost, which was patched three months ago, SMBleed allows to achieve pre-auth Remote Code Execution (RCE).
  • POC #1: SMBleed remote kernel memory read: POC #1 Link
  • POC #2: Pre-Auth RCE Combining SMBleed with SMBGhost: POC #2 Link

Introduction

The SMBGhost (CVE-2020-0796) bug in the compression mechanism of SMBv3.1.1 was fixed about three months ago.

Continue reading SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost at ZecOps Blog.


Read the original article: SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost