#SMBGhost Analysis (CVE-2020-0796)

This time on the Compression algorithm version 3.1.1, a vulnerability has been updated which is of the Integer Overflow type. This vulnerability can be exploited on the 1903 and 1909 versions of Windows 10 and acts as unauthenticated.This vulnerability is located in the srv2.sys driver, and if you look at Figure 1, we have two parameters in the protocol called OriginalCompressedSegmentSize and Offset / Length, the first of which is to declare the length of the compressed segment, and the second shows the size of the uncompressed data. Both parameters are 32bit and can be controlled by a hacker,Now if you look at Figure 2, you will see the reverse chat code of the corresponding function, where the vulnerability is specified. As you know, integer dataTypes that are unsigned receive a positive range of 65,535 bytes of numeric data, so the vulnerability is The SrvNetAllocateBuffer function, which is a pointer to a portion of memory, has uncontrolled input values and will enter numeric data above the approved DataType value, causing a numeric overflow.

Categories: