Anatomy of an Exploit: SMBGhost/CoronaBlue – How “Chompie” Achieved Unauthenticated Remote Code Execution Despite Windows 10’s Near Perfect Address Randomization

Webinar Registration

Back in March, Microsoft patched CVE-2020-0796, known as SMBGhost or CoronaBlue, which affects Windows 10 and Windows Server 2019. The security hole is in the Server Message Block (SMB) protocol which Windows uses for file sharing and was also exploited with WannaCry. This was not an easy vulnerability to exploit to the full. For months the best researchers could accomplish was denial of service and local privilege elevation.

But just over a week ago, a proof of concept dropped that achieved the gold standard of exploitation: unauthenticated, remote code exploitation (RCE).

In this webinar, we will dive into the details of SMBGhost and explain why security enhancements in Windows 10 and Windows Server 2019 make it so difficult to do RCE today and look at how security researchers were able to overcome it using “memory descriptor lists” which is a memory management object used in kernel drives to facilitate Direct Memory Access (DMA).

Then we will pivot to defense and discuss several different layers:

Patching (obvious)
Workarounds
Network based countermeasures
Network detection

Understanding this exploit from a network perspective is especially important and we will show you why this is more of an on-prem and cloud virtual network issue than an Internet facing issue. There are many opportunities to prevent this vulnerability from being exploited to spread laterally.

But we will also show how a many-layered defense-in-depth approach is always best because you can’t foresee and pre-empt every exploit, whether zero day or not. Besides a fully autonomous worm simply designed for denial-of-service, any other attacker will still need to connect back to C&C and usually exfiltrate data. And upstream from that, how does the attacker get initial access? Since this exploit is over SMB, in most cases the bad guy will need to use other methods at the beginning. In all such cases there is invariably several domain names and IP addresses involved.

Threat intel lists are nice for domains and IPs but that only identifies untargeted campaign infrastructure that’s been out long enough to get “burned”. On the other hand, Senior Security Researcher, Chad Anderson, of our sponsor, DomainTools, will briefly show you how their true machine learning predicts malicious domains and infrastructure before attacks happen, how to investigate these attacks, and predict an attacker's next move.

Please join us for this real training for free event.

First Name:	Required
Last Name:	Required
Work Email:	Required Invalid email address
Phone:	Required
Job Title:	Required
Organization:	Required
Country:	Required
State:	Required
Zip/Postal Code:	Required
	Your information will be shared with the sponsor. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor. Tweet

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.