[Alert] Microsoft SMBv3 Remote Code Execution Vulnerability

17/03/2020 11:43:40

Microsoft Server Message Block (SMB) protocol is a Microsoft network file sharing protocol used in Microsoft Windows. It is enabled by default in most Windows systems and is used to share files, printers, etc. SMB 3.1.1 was introduced in Windows 10 and Windows Server 2016. This vulnerability originates from SMBv3's failure to check whether the length of data packets passed from clients are legitimate, which leads to integer overflow eventually. Hackers can directly attack the SMB server to execute arbitrary malicious code remotely by exploiting this vulnerability. They can also establish a malicious SMB server to induce the client to connect and attack the client massively. Since this vulnerability is very dangerous and spreads rapidly, Sangfor recommends that users install security patches as soon as possible and take measures to prevent this vulnerability attack.

Affected versions

Affected Windows versions:

Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)

Vulnerability Analysis

1. First, SMB calls the function srv2!Srv2ReceiveHandler to receive data packet and set the corresponding event handler as per the ProtocolId.

If data in the package is identified as compressed (ProtocolID = 0xfc4d5342), the function Srv2DecompressMessageAsync will be called.

2. srv2!Srv2DecompressMessageAsync will then call the function Srv2DecompressData:

In Srv2DecompressData function, while using SrvNetAllocateBuffer to allocate memory, length of OriginalCompressedSegmentSize and Offset/Length is unauthenticated, and the sum of the two also evades the security authentication.

3. srv2!Srv2DecompressData will then call SmbCompressionDecompress, which calls nt!RtlDecompressBufferXpressLz in turn for data decompression.

4. When function nt!RtlDecompressBufferXpressLz performs data decompression, we first analyze smb compress protocol data packet. Data size of the decompressed packet (v21) is compared with value of OriginalCompressedSegmentSize of buffer previously assigned by SrvNetAllocateBuffer to make sure the decompressed data size does not exceed value of the latter and execute memcopy.

5. However, if v21 is greater than the value of OriginalCompressedSegmentSize, error message (0xC0000242) will be returned. As length is unauthenticated during memory allocation as described in step 2 above, v21 can be extremely huge if the value of OriginalCompressedSegmentSize passed in is big enough to trigger integer overflow. Though, after analysis of decompress size, buffer overflow can be ultimately triggered when qmemcpy is called to pass in an overwhelmingly huge size.

Security updates of Microsoft ensures that length of OriginalCompressedSegmentSize and Offset/Length gets authenticated to avoid overflow.

The vulnerability is exploited by unauthenticated attackers to remotely connect to vulnerable computers running on Windows system via SMBv3, or connect the vulnerable Windows system to the SMBv3 server via client so as to arbitrarily execute code by exploiting SYSTEM privileges.


1. Vulnerability Detection

Sangfor suggests users to scan for the vulnerability using vulnerability detection tools.

Sangfor Host Security has updated its detection capability once the vulnerability broke out. Users can upgrade to quickly detect whether the network is affected by this high risk and avoid being used by attackers. Offline users are required to download offline update package for detection capability. Online users can automatically obtain detection capabilities.

2. Vulnerability Patch

Microsoft has released the security patch for this vulnerability and Sangfor suggests users to check you Windows version, download and install corresponding patches:

Sangfor Endpoint Secure has updated the vulnerability database immediately and supports detection and patch of this vulnerability. For users with Endpoint Secure 3.2.10 and later versions, upgrade corresponding service package and update vulnerability database to 202031317395 version to detect and patch this vulnerability. Online users can update vulnerability database directly. Offline update package and vulnerability database has been uploaded to Sangfor Community, and users can download them as per needs.

3. Prevention

Sangfor suggests users to update security policies on security devices to prevent vulnerability attacks.

Sangfor NGAF has updated threat database. Users can be protected from this threat easily and rapidly by updating to the latest threat database.

Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF and Endpoint Secure to block attacker IP address.

Users can modify registry manually to prevent remote attacks: run regedit.exe, open registry editor, create a DWORD named DisableCompression in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters and set the value to 1 to disable SMB compression function.

Our Social Networks

Global Service Center: