A proof-of-concept remote code execution (RCE) exploit for the Windows 10 CVE-2020-0796 'wormable' pre-auth remote code execution vulnerability was developed and demoed today by researchers at Ricerca Security.

The security vulnerability, also known as SMBGhost, was found in the Microsoft Server Message Block 3.1.1 (SMBv3) network communication protocol and it only impacts systems running Windows 10, version 1903 and 1909, as well as Server Core installations of Windows Server, versions 1903 and 1909.

Some information on SMBGhost was leaked during last month's Patch Tuesday after being accidentally published by a number of security vendors part of Microsoft Active Protections Program despite Microsoft's decision to hold on to the info and not issuing a security advisory.

"An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client," Microsoft explains.

"To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it."

DoS, LPE, and now an RCE PoC exploit

After a number of proofs-of-concept (PoC) exploits surfaced, including a denial-of-service one developed by Kryptos Logic security researcher Marcus Hutchins, Microsoft released security patches for all affected platforms on March 12.

"However, while there have already been many public reports and PoCs of LPE (Local Privilege Escalation), none of them have shown that RCE is actually possible so far," Ricerca Security researchers said today.

"This is probably because remote kernel exploitation is very different from local exploitation in that an attacker can't utilize useful OS functions such as creating userland processes, referring to PEB, and issuing system calls."

If patching all vulnerable systems wasn't urgent enough until now, Ricerca Security today demoed a PoC RCE exploit for SMBGhost and published a write-up with all the technical details behind it, after tweeting a teaser a week ago.

They also shared a video demo of their SMBGhost PoC RCE exploit with BleepingComputer, embedded below:

No public RCE exploit so far

For the time being though, Ricerca Security has decided not to share their RCE PoC exploit publicly to avoid having it fall in the wrong hands.

"We have decided to make our PoC exclusively available to our customers to avoid abuse by script kiddies or cybercriminals," they said.

Researchers at cybersecurity firm Kryptos Logic discovered about 48,000 Windows 10 hosts vulnerable to attacks targeting the SMBGhost vulnerability according to an Internet-wide scan on March 12.

If you haven't yet patched your Windows 10 systems against CVE-2020-0796, you should do it as soon as possible to block potential attacks.

If you can't update at the moment, Microsoft's recommends disabling SMBv3 compression using this PowerShell (Admin) command (no restart required, the downside is that it does not prevent the exploitation of SMB clients):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Enterprise customers can also block the TCP port 445 at the enterprise perimeter firewall to prevent attackers from exploiting the flaw.