CVE-2020-0796: Remote Code Execution in Windows SMBv3 (SMBGhost)

The Server Message Block 3.1.1 (SMBv3) protocol introduced a new feature for compressing data payloads, designed to optimize data transfer across networks. This compression capability is handled within the Windows kernel by the SMB server driver, srv2.sys. The vulnerability, tracked as CVE-2020-0796, is an integer overflow flaw present in the decompression routines of this driver.

The vulnerability manifests when the server processes incoming network packets containing the SMB2_COMPRESSION_TRANSFORM_HEADER. Because the protocol handles compression pre-authentication, the affected code path is fully accessible to any unauthorized network user. This architectural design makes the vulnerability wormable, allowing lateral movement without credentials.

Successful exploitation results in arbitrary code execution within the context of the Windows kernel (SYSTEM). Consequently, an attacker can fully compromise the target system, install persistent malware, or pivot to other machines on the network. The flaw affects Windows 10 and Windows Server versions 1903 and 1909, as earlier versions lack the SMBv3 compression feature.

The root cause of CVE-2020-0796 resides in the Srv2DecompressData function within the srv2.sys driver. When an SMBv3 client sends a compressed packet, it prefixes the payload with an SMB2_COMPRESSION_TRANSFORM_HEADER. This header includes several fields, notably the OriginalCompressedSegmentSize (the expected uncompressed size) and an Offset value indicating where the data begins.

The vulnerability is a classic integer overflow triggered by the summation of the OriginalCompressedSegmentSize and Offset fields. Both variables are supplied as unsigned 32-bit integers directly from the network packet without prior bounds checking. If an attacker crafts a packet where the sum of these two values exceeds the maximum 32-bit integer limit (0xFFFFFFFF), the arithmetic operation wraps around, resulting in a significantly smaller value.

The srv2.sys driver subsequently uses this wrapped-around, undersized value as the size argument for a memory allocation call via SrvNetAllocateBuffer. The system successfully allocates the small buffer on the kernel heap. However, the subsequent decompression routine (such as LZNT1) relies on the original, unmodified OriginalCompressedSegmentSize field to determine how much data to write.

As the decompression routine executes, it extracts the payload and writes it into the undersized buffer. Because the uncompressed data is larger than the allocated space, the write operation continues past the buffer boundaries. This causes a severe heap-based buffer overflow, overwriting adjacent kernel memory structures.

Exploiting this heap-based buffer overflow requires manipulating the kernel heap layout to achieve reliable code execution. An attacker initiates the attack by sending an SMB2 Negotiate Protocol Request to port 445, signaling support for compression. The server acknowledges this, establishing a session where compressed payloads are accepted.

The attacker then transmits a specially crafted payload with the malicious SMB2_COMPRESSION_TRANSFORM_HEADER. The goal is to position sensitive kernel data structures adjacent to the undersized buffer allocated by SrvNetAllocateBuffer. By controlling the contents of the compressed payload, the attacker dictates the exact bytes written during the overflow.

Reliable remote code execution relies on overwriting function pointers or executing a data-only attack against token privileges. If the heap grooming fails or the overwritten memory contains critical operational data, the srv2.sys driver will crash. This crash results in a system-wide bug check, commonly known as a Blue Screen of Death (BSOD), rendering the system unavailable.

In addition to the remote attack vector, a local privilege escalation (LPE) vector exists. A low-privileged local user can construct the same malicious packet and transmit it to the local SMB client component. This achieves the same integer overflow and subsequent buffer overflow, elevating the local process privileges to SYSTEM.

The security impact of CVE-2020-0796 is absolute system compromise. Execution context occurs at the kernel level (Ring 0), bypassing all user-mode security boundaries. The CVSS v3.1 score of 10.0 reflects the worst-case scenario: unauthenticated, remote, low-complexity exploitation with complete loss of confidentiality, integrity, and availability.

The vulnerability is designated as wormable. Network-based exploitation requires zero user interaction and exploits a protocol (SMB) that is ubiquitous in enterprise environments. An exploit payload can independently identify and infect adjacent vulnerable hosts, facilitating rapid propagation akin to the WannaCry or NotPetya campaigns.

The Exploit Prediction Scoring System (EPSS) assigns this vulnerability a score of 0.94408, placing it in the 99.98th percentile. This metric indicates near-certain exploitation activity in the wild. Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2020-0796 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active utilization by threat actors, including ransomware operators.

Remediation primarily requires applying the out-of-band security updates released by Microsoft on March 12, 2020, or any subsequent cumulative updates. These patches correct the arithmetic logic in Srv2DecompressData by implementing safe integer math operations. The patched driver explicitly validates that the addition of OriginalCompressedSegmentSize and Offset does not overflow before allocating memory.

For systems where immediate patching is strictly impossible, administrators must implement the official workaround. Disabling SMBv3 compression prevents the vulnerable code path from being reached. This is achieved via a PowerShell command that creates a specific registry key.

# Disable SMBv3 Compression (does not require a reboot)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWord -Value 1 -Force

Applying this registry change takes effect immediately without requiring a system reboot. However, this workaround does not protect the SMB client component from the local privilege escalation vector. Local unprivileged users can still exploit the flaw to gain SYSTEM access unless the system is fully patched.

Network perimeter defense forms the final layer of mitigation. Administrators must ensure TCP port 445 is blocked at the edge firewall, preventing inbound SMB connections from the internet. Intrusion Detection Systems (IDS) utilizing Snort or Suricata rules should be deployed to monitor internal traffic for the \xfcSMB header combined with anomalous length fields.