Browse Live Discover and Response Queries by Category
Approved

Live Discover Query - Vulnerability check for ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

 REVIEWED by Sophos 

Windows has a zero-day that won’t be patched for weeks

Well another day another zero day vulnerability.  Today I am looking at how to best create a vulnerability check given information in a CVE and a Microsoft Notification.  In this case we are looking at a Windows Zero day that Sophos Naked Security wrote about in late March. https://nakedsecurity.sophos.com/2020/03/25/windows-has-a-zero-day-that-wont-be-patched-for-weeks/

The article links to a Microsoft Security Advisory page that identifies the Type 1 Font Parsing Remote Code Execution vulnerability and provides a list of vulnerable operating systems and a mitigation that can be taken with a registry key change.

The objective is to provide a query that can be run on all windows systems and report if the OS is vulnerable and if the Mitigation is Enabled or Not.  The Ideal solution provides a template that we can use for other similar scenarios so we can quickly re-purpose this query for other threats. 

We want to do this with a single select statement and need to check two very different things, the OS version/build info and the presence or absence of a registry key. 

SQL provides lots of different ways of doing just that. Below is the one I settled on.

We want to ensure we get a response from the query even if the device is not vulnerable so we will need a conditional statement, A Case statement works nicely for that.

/* probably not the most efficient way to do this */
SELECT
   /* Check if the OS is listed as vulnerable or not */
   CASE (SELECT '1' FROM os_version WHERE
         (major = '10' AND build = '14393') OR /* version 1607 */
         (major = '10' AND build = '16299') OR  /* version 1709 */
         (major = '10' AND build = '17134') OR  /* version 1803 */
         (major = '10' AND build = '17763') OR  /* version 1809 */
         (major = '10' AND build = '18362') OR  /* version 1903 */
         (major = '10' AND build = '18363') OR  /* version 1909 */
         (major = '6' AND minor = '1' ) OR /* Windows 7 */
         (major = '6' AND minor = '3' ) OR /* Windows 8.1 */
         (major = '6' AND minor = '1' ) OR /* Windows Server 2008 */
         (major = '6' AND minor = '2' ) OR /* Windows Server 2012 */
         (major = '10' AND build = '14393') OR  /* Windows Server 2016 */
         (major = '10' AND build = '16299') OR  /* Windows Server 2016 */
         (major = '10' AND build = '17763')  /* Windows Server 2019 */
      )
      WHEN '1' THEN 'TRUE'
      ELSE 'FALSE'
   END 'Vulnerable OS',

   /* Check if the mitigation is set or NOT */
   CASE (SELECT '1' FROM registry WHERE
         key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows' AND
         name LIKE '%DisableATMFD%' AND
         data = '1'
      )
      WHEN '1' THEN 'ENABLED'
      ELSE 'Not SET'
   END 'Mitigation - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD    1'
;

Karl_Ackerman
  • /cfs-file/__key/commentfiles/fb5d84b10a5745448a7a45dafc1faa43-5dc6b27c-c846-4418-a679-f84e1d995879/pastedimage1590249264172v1.png REVIEWED by Sophos  I have updated the QUERY at the top to prevent folks thinking they are safe when they are not. As Philippe pointed out it looks like I did not write the correct kind of query to take into account the version info I found this info online, and will fix the query.  Thanks so much.   www.gaijin.at/.../windows-version-numbers Name / Description Version Build Number Public Release RTM Release Windows 95 4.00 950 1995-08-24   Windows 95 OEM Service Release 1 4.00 950 A 1996-02-14   Windows 95 OEM Service Release 2 4.00 950 B 1996-08-24   Windows 95 OEM Service Release 2.1 4.00 950 B 1997-08-27   Windows 95 OEM Service Release 2.5 4.00 950 C 1997-11-26   Windows 98 4.10 1998 1998-05-15   Windows 98 Second Edition (SE) 4.10 2222 1999-05-05   Windows Me 4.90 3000 2000-09-14 2000-06-19 Windows NT 3.1 3.10 511 1993-07-27   Windows NT 3.1, Service Pack 3 3.10 528 1994-11   Windows NT 3.5 3.50 807 1994-09-21   Windows NT 3.51 3.51 1057 1995-05-30   Windows NT 4.0 4.0 1381 1996-08-24 1996-07-31 Windows 2000 5.0 2195 2000-02-17 1999-12-15 Windows XP 5.1 2600 2001-10-25 2001-08-24 Windows XP, Service Pack 1 5.1 2600.1105-1106 2002-09-09   Windows XP, Service Pack 2 5.1 2600.2180 2004-08-25   Windows XP, Service Pack 3 5.1 2600 2008-04-21   Windows Server 2003 5.2 3790 2003-04-24   Windows Server 2003, Service Pack 1 5.2 3790.1180 2005-03-30   Windows Server 2003, Service Pack 2 5.2 3790 2007-03-13   Windows Server 2003 R2 5.2 3790 2005-12-06 2005-12-06 Windows Home Server 5.2 4500 2007-11-04 2007-07-16 Windows Vista 6.0 6000 2007-01-30 2006-11-08 Windows Vista, Service Pack 1 6.0 6001 2008-02-04   Windows Vista, Service Pack 2 6.0 6002 2009-05-26 2009-04-28 Windows Server 2008 6.0 6001 2008-02-27 2008-02-04 Windows Server 2008, Service Pack 2 6.0 6002 2009-05-26   Windows Server 2008, Service Pack 2, Rollup KB4489887 6.0 6003 2019-03-19   Windows 7 6.1 7600 2009-10-22 2009-07-22 Windows 7, Service Pack 1 6.1 7601 2011-02-22   Windows Server 2008 R2 6.1 7600 2009-10-22 2009-07-22 Windows Server 2008 R2, Service Pack 1 6.1 7601 2011-02-22 2011-02-09 Windows Home Server 2011 6.1 8400 2011-04-06 2011-04-06 Windows Server 2012 6.2 9200 2012-09-04 2012-08-01 Windows 8 6.2 9200 2012-10-26 2012-08-01 Windows 8.1 6.3 9600 2013-08-27 2013-10-17 Windows Server 2012 R2 6.3 9600 2013-10-18 2013-08-27 Windows 10, Version 1507 10.0 10240 2015-07-29 2015-07-15 Windows 10, Version 1511 10.0 10586 2015-11-10   Windows 10, Version 1607 10.0 14393 2016-08-02   Windows 10, Version 1703 10.0 15063 2017-04-05   Windows 10, Version 1709 10.0 16299 2017-10-17   Windows 10, Version 1803 10.0 17134 2018-04-30   Windows 10, Version 1809 10.0 17763 2018-10-02   Windows 10, Version 1903 10.0 18362 2019-05-21   Windows 10, Version 1909 10.0 18363 2019-11-12   Windows Server 2016, Version 1607 10.0 14393 2016-08-02   Windows Server 2016, Version 1709 10.0 16299 2017-10-17   Windows Server 2019, Version 1809 10.0 17763 2018-10-02
  • Hi Karl Great use case for Live Discovery! I ran the query and got back that I am no vulnerable, but I run Windows 10 1903. When I run "SELECT major, build FROM os_version;" I get 10 as major and 18362 as build, so the query returns not vulernable. When I run "winver" locally on my computer, my system runs "Version 1903 (Build 18362.778) Any Ideas as to why my build numbers are different from your query? Thanks Philippe
Unfiltered HTML