标题: Windows Type 1字体解析RCE

https://scz.617.cn/windows/202003250000.txt

2020-03-25 奇安信 CERT

Adobe字体管理库(Adobe Type Manager Library)不正确地处理
"Adobe Type 1 PostScript"字体格式时会引发RCE。微软官方通告指出漏洞已遭在野
利用。攻击者利用漏洞的方式有多种，如说服用户打开一个特殊构造的文件或在
Windows预览窗格中查看该文件。该漏洞影响XP至Win10，在Win7、XP环境可获得内核
权限，在Win10环境可获得沙箱内权限。

资源管理器->文件夹选项->查看->始终显示图标、从不显示缩略图

x86/Win10

    cd "%windir%\system32"
    takeown.exe /f atmfd.dll
    icacls.exe atmfd.dll /save atmfd.dll.acl
    icacls.exe atmfd.dll /grant Administrators:(F)
    rename atmfd.dll x-atmfd.dll

x64/Win10

    cd "%windir%\system32"
    takeown.exe /f atmfd.dll
    icacls.exe atmfd.dll /save atmfd.dll.acl
    icacls.exe atmfd.dll /grant Administrators:(F)
    rename atmfd.dll x-atmfd.dll
    cd "%windir%\syswow64"
    takeown.exe /f atmfd.dll
    icacls.exe atmfd.dll /save atmfd.dll.acl
    icacls.exe atmfd.dll /grant Administrators:(F)
    rename atmfd.dll x-atmfd.dll

Win8及更低版本

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DisableATMFD"=dword:00000001
--------------------------------------------------------------------------

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "DisableATMFD" /t REG_DWORD /d 1 /f