Exploit code for wormable Windows 10 SMBGhost bug released on Github

People using the code may see crashes presenting a blue screen of death

A security researcher has published a proof-of-concept exploit code for wormable Windows 10 SMBGhost security vulnerability that, when not patched, could enable hackers to spread malware from one vulnerable machine to another without requiring user interaction.

On Monday, a Github user who goes with the handle Chompie1337, shared the code for SMBGhost vulnerability, revealing that it relies on a physical read primitive.

"This has not been tested outside of my lab environment," Chompie1337 wrote.

According to Chompie1337, the exploit isn't reliable and the people using it may see crashes presenting a blue screen of death (BSOD).

"It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die."

Tracked as CVE-2020-0796, the SMBGhost security flaw exists in Windows Server versions 1903 and 1909 and Windows 10 versions 1903 and 1909, and affects the SMBv3 (Server Message Block 3.0) network communication protocol in two operating systems.

SMB service is used by the OS to share various resources, such as files and printers, on local networks and over the Internet.

Details of CVE-2020-0796 were first published by cyber security firm Fortinet and Cisco's security group Talos in March this year. The two firms, however, quickly removed the details from their websites, and after a couple of days, an emergency fix was released by Microsoft to patch the vulnerability.

Microsoft said that the vulnerability could enable an attacker to connect to remote systems that have SMB enabled, and to execute malicious code with full privileges, thus enabling remote hijacking of vulnerable systems.

"To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it," Microsoft said in March.

After the details of CVE-2020-0796 emerged, many experts feared that it could be weaponised by threat actors to create self-spreading SMB worms, with capabilities similar to NotPetya and WannaCry ransomware strains.

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors are targeting Windows 10 systems that have not been patched for CVE-2020-0796.

Because this bug is "wormable," CISA said it can spread from one vulnerable system to another system without requiring user interaction.

The agency also advised admins and other users to use a firewall to block SMB ports from the internet and to apply patches as soon as possible.