A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code or cause denial of service on the target server or client.
In March 2020, Microsoft has released CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
According to security researchers, the vulnerability occurs “SmbCompressDecompress” function. This function is used by the SMBv3 client and server implementation. This is making them vulnerable.
You can check your client or server affected this vulnerability from the list below:
You can check the SMBGhost Remote Code Execution vulnerability with our free and online SMBGhost Rce Vulnerability Scanner (CVE-2020-0796) tool. To do this, you can start by typing your domain name or IP address in the form on top of the page and start scanning.
Also, you can use this PoC code to check the vulnerability.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force