微软发布Type 1字体解析远程代码执行漏洞补丁，建议用户尽快修补

漏洞背景

3月23日，微软发布公告ADV200006称Adobe Type Manager Library中存在2个未修补的漏洞，当Windows Adobe Type Manager Library处理Adobe Type 1 PostScript 格式字体时存在两个远程执行代码漏洞。攻击者利用漏洞可在多个场景实施攻击，比如说服受害者在Windows的预览中访问一个特殊构造的文档。

4月15日，微软正式发布CVE-2020-1020/CVE-2020-0938漏洞补丁。

腾讯安全团队已对漏洞进行分析，该漏洞可稳定利用:

漏洞版本

· Windows 10 for 32-bit Systems

· Windows 10 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems

· Windows 10 Version 1607 for x64-based Systems

· Windows 10 Version 1709 for 32-bit Systems

· Windows 10 Version 1709 for ARM64-based Systems

· Windows 10 Version 1709 for x64-based Systems

· Windows 10 Version 1803 for 32-bit Systems

· Windows 10 Version 1803 for ARM64-based Systems

· Windows 10 Version 1803 for x64-based Systems

· Windows 10 Version 1809 for 32-bit Systems

· Windows 10 Version 1809 for ARM64-based Systems

· Windows 10 Version 1809 for x64-based Systems

· Windows 10 Version 1903 for 32-bit Systems

· Windows 10 Version 1903 for ARM64-based Systems

· Windows 10 Version 1903 for x64-based Systems

· Windows 10 Version 1909 for 32-bit Systems

· Windows 10 Version 1909 for ARM64-based Systems

· Windows 10 Version 1909 for x64-based Systems

· Windows 7 for 32-bit Systems Service Pack 1

· Windows 7 for x64-based Systems Service Pack 1

· Windows 8.1 for 32-bit systems

· Windows 8.1 for x64-based systems

· Windows RT 8.1

· Windows Server 2008 for 32-bit Systems Service Pack 2

· Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

· Windows Server 2008 for Itanium-Based Systems Service Pack 2

· Windows Server 2008 for x64-based Systems Service Pack 2

· Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

· Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1

· Windows Server 2008 R2 for x64-based Systems Service Pack 1

· Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

· Windows Server 2012

· Windows Server 2012 (Server Core installation)

· Windows Server 2012 R2

· Windows Server 2012 R2 (Server Core installation)

· Windows Server 2016

· Windows Server 2016 (Server Core installation)

· Windows Server 2019

· Windows Server 2019 (Server Core installation)

· Windows Server, version 1803 (Server Core Installation)

· Windows Server, version 1903 (Server Core installation)

· Windows Server, version 1909 (Server Core installation)

漏洞分析

漏洞模块为atmfd.sys(Windows 10 1703后是fontdrvhost.exe)，成因在于Windows解析PostScript字体中的BlendDesignPositions或BlendVToHOrigin时，没有经过安全检查，导致处理模块可能引发越界写，栈溢出的问题。

SetBlendDesignPositions:

BlendDesignPositions格式如下：

Win7 x86环境下，atmfd!SetBlendDesignPositions在解析BlendDesignPositions array时，会将内容全部保存到栈上，缓冲区的大小是960(0x3C0)，因此最多存放16个sub-array,当sub-array数量大于16时，会引发溢出:

ParseBlendVToHOrigin:

atmfd!ParseBlendVToHOrigin在处理数组BlendVToHOrigin时存在两处溢出。

Win7x86下由于定义的int v12[2]仅有8个字节，当NumMasters大于2时，引发缓冲区溢出:

NumMasters大小可以在字体文件中通过构造特殊的BlendDesignPositions或WeightVector控制:

第二处溢出发生在atmfd.sys读取BlendVToHOrigin时，首先获取当前NumMasters并根据其大小将BlendVToHOrigin的数据复制到栈中的V11，由于NumMasters可控，当NumMasters过大时会对栈中的v11造成溢出，V11同样也是8字节:

第二次溢出时，由于V12在V11的高地址方向，所以当V11溢出时会覆写V12中保存的指针。

补丁分析

由于win7已停止更新，win10 1703后微软把atmfd.sys模块的功能移植到fontdrvhost.exe中，补丁前后漏洞模块共做了2处修改，2个函数均存在栈溢出漏洞:

补丁后SetBlendDesignPositions中增加了条件判断，sub-array数量超过16时返回错误，避免溢出：

补丁后ParseBlendVToHOrigin中启用了GS保护栈的完整性，并在读取BlendVToHOrigin数组前，限制了NumMasters大小；

时间线：

1. 3月23日，微软发布通告ADV200006称Adobe Type Manager Library中存在2个未修补的漏洞

2. 3月24日，腾讯安全发布漏洞通告

3. 4月15日，微软官方发布CVE-2020-1020/CVE-2020-0938漏洞通告及补丁

参考链接：

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938