标题: Windows Type 1字体解析RCE

https://scz.617.cn/windows/202003250000.txt

2020-03-25 奇安信 CERT

Adobe字体管理库(Adobe Type Manager Library)不正确地处理 "Adobe Type 1 PostScript"字体格式时会引发RCE。微软官方通告指出漏洞已遭在野利用。攻击者利用漏洞的方式有多种，如说服用户打开一个特殊构造的文件或在 Windows预览窗格中查看该文件。该漏洞影响XP至Win10，在Win7、XP环境可获得内核权限，在Win10环境可获得沙箱内权限。

资源管理器->文件夹选项->查看->始终显示图标、从不显示缩略图

x86/Win10

cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

x64/Win10

cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
cd "%windir%\syswow64"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

Win8及更低版本

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "DisableATMFD"=dword:00000001

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "DisableATMFD" /t REG_DWORD /d 1 /f