Browse Live Discover and Response Queries by Category
Approved

Live Discover Query - Vulnerability check for ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

 REVIEWED by Sophos 

Windows has a zero-day that won’t be patched for weeks

Well another day another zero day vulnerability.  Today I am looking at how to best create a vulnerability check given information in a CVE and a Microsoft Notification.  In this case we are looking at a Windows Zero day that Sophos Naked Security wrote about in late March. https://nakedsecurity.sophos.com/2020/03/25/windows-has-a-zero-day-that-wont-be-patched-for-weeks/

The article links to a Microsoft Security Advisory page that identifies the Type 1 Font Parsing Remote Code Execution vulnerability and provides a list of vulnerable operating systems and a mitigation that can be taken with a registry key change.

The objective is to provide a query that can be run on all windows systems and report if the OS is vulnerable and if the Mitigation is Enabled or Not.  The Ideal solution provides a template that we can use for other similar scenarios so we can quickly re-purpose this query for other threats. 

We want to do this with a single select statement and need to check two very different things, the OS version/build info and the presence or absence of a registry key. 

SQL provides lots of different ways of doing just that. Below is the one I settled on.

We want to ensure we get a response from the query even if the device is not vulnerable so we will need a conditional statement, A Case statement works nicely for that.

/* probably not the most efficient way to do this */
SELECT
   /* Check if the OS is listed as vulnerable or not */
   CASE (SELECT '1' FROM os_version WHERE
         (major = '10' AND build = '14393') OR /* version 1607 */
         (major = '10' AND build = '16299') OR  /* version 1709 */
         (major = '10' AND build = '17134') OR  /* version 1803 */
         (major = '10' AND build = '17763') OR  /* version 1809 */
         (major = '10' AND build = '18362') OR  /* version 1903 */
         (major = '10' AND build = '18363') OR  /* version 1909 */
         (major = '6' AND minor = '1' ) OR /* Windows 7 */
         (major = '6' AND minor = '3' ) OR /* Windows 8.1 */
         (major = '6' AND minor = '1' ) OR /* Windows Server 2008 */
         (major = '6' AND minor = '2' ) OR /* Windows Server 2012 */
         (major = '10' AND build = '14393') OR  /* Windows Server 2016 */
         (major = '10' AND build = '16299') OR  /* Windows Server 2016 */
         (major = '10' AND build = '17763')  /* Windows Server 2019 */
      )
      WHEN '1' THEN 'TRUE'
      ELSE 'FALSE'
   END 'Vulnerable OS',

   /* Check if the mitigation is set or NOT */
   CASE (SELECT '1' FROM registry WHERE
         key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows' AND
         name LIKE '%DisableATMFD%' AND
         data = '1'
      )
      WHEN '1' THEN 'ENABLED'
      ELSE 'Not SET'
   END 'Mitigation - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD    1'
;

Karl_Ackerman
Parents
  • Hi Karl Great use case for Live Discovery! I ran the query and got back that I am no vulnerable, but I run Windows 10 1903. When I run "SELECT major, build FROM os_version;" I get 10 as major and 18362 as build, so the query returns not vulernable. When I run "winver" locally on my computer, my system runs "Version 1903 (Build 18362.778) Any Ideas as to why my build numbers are different from your query? Thanks Philippe
Comment
  • Hi Karl Great use case for Live Discovery! I ran the query and got back that I am no vulnerable, but I run Windows 10 1903. When I run "SELECT major, build FROM os_version;" I get 10 as major and 18362 as build, so the query returns not vulernable. When I run "winver" locally on my computer, my system runs "Version 1903 (Build 18362.778) Any Ideas as to why my build numbers are different from your query? Thanks Philippe
Children
No Data
Unfiltered HTML