The Anatomy of an Exploit: SMBGhost
Back in March, Microsoft patched CVE-2020-0796, known as SMBGhost or CoronaBlue, which affects Windows 10 and Windows Server 2019. The security hole is in the Server Message Block (SMB) protocol which Windows uses for file sharing and was also exploited with WannaCry. This was not an easy vulnerability to exploit to the full. For months the best researchers could accomplish was denial of service and local privilege elevation.
But just over a week ago, a proof of concept dropped that achieved the gold standard of exploitation: unauthenticated, remote code exploitation (RCE).
In this webinar we will dive into the details of SMBGhost and explain why security enhancements in Windows 10 and Windows Server 2019 make it so difficult to do RCE today and look at how security researchers were able to overcome it using abusing “memory descriptor lists” which a memory management object used in kernel drives to facilitate Direct Memory Access (DMA).
Additionally, Senior Security Researcher, Chad Anderson, will briefly show you how their true machine learning predicts malicious domains and infrastructure before attacks happen, how to investigate these attacks, and predict an attacker’s next move.
