Anatomy of an Exploit: SMBGhost/CoronaBlue – How “Chompie” Achieved Unauthenticated Remote Code Execution Despite Windows 10’s Near Perfect Address Randomization

Webinar Registration

Back in March, Microsoft patched CVE-2020-0796, known as SMBGhost or CoronaBlue, which affects Windows 10 and Windows Server 2019. The security hole is in the Server Message Block (SMB) protocol which Windows uses for file sharing and was also exploited with WannaCry. This was not an easy vulnerability to exploit to the full. For months the best researchers could accomplish was denial of service and local privilege elevation.

But just over a week ago, a proof of concept dropped that achieved the gold standard of exploitation:  unauthenticated, remote code exploitation (RCE).

In this webinar, we will dive into the details of SMBGhost and explain why security enhancements in Windows 10 and Windows Server 2019 make it so difficult to do RCE today and look at how security researchers were able to overcome it using “memory descriptor lists” which is a memory management object used in kernel drives to facilitate Direct Memory Access (DMA).

Then we will pivot to defense and discuss several different layers:

  • Patching (obvious)
  • Workarounds
  • Network based countermeasures
  • Network detection

Understanding this exploit from a network perspective is especially important and we will show you why this is more of an on-prem and cloud virtual network issue than an Internet facing issue. There are many opportunities to prevent this vulnerability from being exploited to spread laterally.

But we will also show how a many-layered defense-in-depth approach is always best because you can’t foresee and pre-empt every exploit, whether zero day or not. Besides a fully autonomous worm simply designed for denial-of-service, any other attacker will still need to connect back to C&C and usually exfiltrate data. And upstream from that, how does the attacker get initial access? Since this exploit is over SMB, in most cases the bad guy will need to use other methods at the beginning. In all such cases there is invariably several domain names and IP addresses involved.

Threat intel lists are nice for domains and IPs but that only identifies untargeted campaign infrastructure that’s been out long enough to get “burned”. On the other hand, Senior Security Researcher, Chad Anderson, of our sponsor, DomainTools, will briefly show you how their true machine learning predicts malicious domains and infrastructure before attacks happen, how to investigate these attacks, and predict an attacker's next move.

Please join us for this real training for free event.

First Name:   
Last Name:   
Work Email:  
Phone:  
Job Title:  
Organization:  
Country:    
State:  
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources