微软发布Type 1字体解析远程代码执行漏洞补丁,建议用户尽快修补
2020-04-17 14:33:14 Author: www.4hou.com(查看原文) 阅读量:218 收藏

漏洞背景

3月23日,微软发布公告ADV200006称Adobe Type Manager Library中存在2个未修补的漏洞,当Windows Adobe Type Manager Library处理Adobe Type 1 PostScript 格式字体时存在两个远程执行代码漏洞。攻击者利用漏洞可在多个场景实施攻击,比如说服受害者在Windows的预览中访问一个特殊构造的文档。

4月15日,微软正式发布CVE-2020-1020/CVE-2020-0938漏洞补丁。

腾讯安全团队已对漏洞进行分析,该漏洞可稳定利用:

1586933869425.2020-04-16 16_04_04.gif

漏洞版本

· Windows 10 for 32-bit Systems

· Windows 10 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems

· Windows 10 Version 1607 for x64-based Systems

· Windows 10 Version 1709 for 32-bit Systems

· Windows 10 Version 1709 for ARM64-based Systems

· Windows 10 Version 1709 for x64-based Systems

· Windows 10 Version 1803 for 32-bit Systems

· Windows 10 Version 1803 for ARM64-based Systems

· Windows 10 Version 1803 for x64-based Systems

· Windows 10 Version 1809 for 32-bit Systems

· Windows 10 Version 1809 for ARM64-based Systems

· Windows 10 Version 1809 for x64-based Systems

· Windows 10 Version 1903 for 32-bit Systems

· Windows 10 Version 1903 for ARM64-based Systems

· Windows 10 Version 1903 for x64-based Systems

· Windows 10 Version 1909 for 32-bit Systems

· Windows 10 Version 1909 for ARM64-based Systems

· Windows 10 Version 1909 for x64-based Systems

· Windows 7 for 32-bit Systems Service Pack 1

· Windows 7 for x64-based Systems Service Pack 1

· Windows 8.1 for 32-bit systems

· Windows 8.1 for x64-based systems

· Windows RT 8.1

· Windows Server 2008 for 32-bit Systems Service Pack 2

· Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

· Windows Server 2008 for Itanium-Based Systems Service Pack 2

· Windows Server 2008 for x64-based Systems Service Pack 2

· Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

· Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1

· Windows Server 2008 R2 for x64-based Systems Service Pack 1

· Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

· Windows Server 2012

· Windows Server 2012 (Server Core installation)

· Windows Server 2012 R2

· Windows Server 2012 R2 (Server Core installation)

· Windows Server 2016

· Windows Server 2016 (Server Core installation)

· Windows Server 2019

· Windows Server 2019 (Server Core installation)

· Windows Server, version 1803 (Server Core Installation)

· Windows Server, version 1903 (Server Core installation)

· Windows Server, version 1909 (Server Core installation)

漏洞分析

漏洞模块为atmfd.sys(Windows 10 1703后是fontdrvhost.exe),成因在于Windows解析PostScript字体中的BlendDesignPositions或BlendVToHOrigin时,没有经过安全检查,导致处理模块可能引发越界写,栈溢出的问题。

SetBlendDesignPositions:

BlendDesignPositions格式如下:

image.png

Win7 x86环境下,atmfd!SetBlendDesignPositions在解析BlendDesignPositions array时,会将内容全部保存到栈上,缓冲区的大小是960(0x3C0),因此最多存放16个sub-array,当sub-array数量大于16时,会引发溢出:

image.png

ParseBlendVToHOrigin:

atmfd!ParseBlendVToHOrigin在处理数组BlendVToHOrigin时存在两处溢出。

Win7x86下由于定义的int v12[2]仅有8个字节,当NumMasters大于2时,引发缓冲区溢出:

image.png

NumMasters大小可以在字体文件中通过构造特殊的BlendDesignPositions或WeightVector控制:

image.png

第二处溢出发生在atmfd.sys读取BlendVToHOrigin时,首先获取当前NumMasters并根据其大小将BlendVToHOrigin的数据复制到栈中的V11,由于NumMasters可控,当NumMasters过大时会对栈中的v11造成溢出,V11同样也是8字节:

image.png

第二次溢出时,由于V12在V11的高地址方向,所以当V11溢出时会覆写V12中保存的指针。

补丁分析

由于win7已停止更新,win10 1703后微软把atmfd.sys模块的功能移植到fontdrvhost.exe中,补丁前后漏洞模块共做了2处修改,2个函数均存在栈溢出漏洞:

image.png

补丁后SetBlendDesignPositions中增加了条件判断,sub-array数量超过16时返回错误,避免溢出:

image.png

补丁后ParseBlendVToHOrigin中启用了GS保护栈的完整性,并在读取BlendVToHOrigin数组前,限制了NumMasters大小;

image.png

时间线:

1. 3月23日,微软发布通告ADV200006称Adobe Type Manager Library中存在2个未修补的漏洞

2. 3月24日,腾讯安全发布漏洞通告

3. 4月15日,微软官方发布CVE-2020-1020/CVE-2020-0938漏洞通告及补丁

参考链接:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938

如若转载,请注明原文地址


文章来源: https://www.4hou.com/posts/M5O3
如有侵权请联系:admin#unsafe.sh