Recently MS has released an advisory for Windows Type 1 Font Parsing Remote Code Execution Vulnerability and I am trying to mitigate the issue for hundred of servers using bigfix action and seems to be out after trying multiple ways. Need help!!!
I have set the registry using regset and hive names
however following the taking the ownership and renaming the file I am lost.
I am using below method in action -
waithidden cmd.exe x64 /C icacls.exe cd c:\Windows\System32 takeown.exe /f atmfd.dll
dos icacls.exe atmfd.dll /save atmfd.dll.acl
dos icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll
waithidden cmd.exe x64 /C icacls.exe cd c:\Windows\System32 takeown.exe /f atmfd.dll
dos icacls.exe atmfd.dll /save atmfd.dll.acl
dos icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll
We facing same issue, run the actio it executed in syswow64 directry success but failed to run in Windows\system32 directory âŚhundreds of servers we need to perform âŚplease need help
I canât make much sense of what youâre doing - the syntax for those commands is so far off that Iâd start over.
I havenât checked that particular bulletin, but I can give you a starting point. To run 64-bit commands and affect the system32 folder instead of the syswow64 folder, youâll need action uses wow64 redirection false.
You also canât use things like âwaithidden cdâ because each waithidden spawns a new shell, with its own default working directory. You also have icacls and takeown in the wrong order, I think.
But I donât know that itâs Administrators you need to Grant access, since BESClient is running as LocalSystem. Check the syntax on icacls, you may need the account to be âNT AUTHORITY\SYSTEMâ instead.
We tried your steps , all went fine but the last command line Move âc:\windows\system32\atmfd.dllâ âc:\windows\system32\x-atmfd.dllâ dint work as expected.
failed to rename the file as x-atmfd.dll.
Any help is appreciated.
how can we run with account âNT AUTHORITY\SYSTEMâ
With BESClient, youâre already running as system; so you may need to change the icacls command to Grant permissions to the system account rather than Administrators
thanks for the clue , actually the same commands as is working fine for the syswow64 directory and failing for windows\system32
why could be that any idea?
Thanks I used the below action and its working fine , THANKS LOT, but just one new issue occured the file is getting renamed as x-atmfd.dll" (its adding the quotes to the renamed file! by this its also changing the file type to dll" instead for file type Application extension.)
It looks like there is a mix of âsmart quotesâ and normal quotes. That might just be the Forum software or your browser converting them when you post to the forum, but check your action to be sure the quotes are correct. It also looks like there is a space after the quote and before C:\ in your target filenames.
Youâll need to specify the fully-qualified path of the file to save, else itâll end up in the BESData directory (and get removed with the next site update).
Hi Jason
Thanks again after we did fully-qualified path as /save "c:\windows\system32\atmfd.dll.acl
this file appear correctly but now the next command line didnt work that is the Move âc:\windows\system32\atmfd.dllâ "c:\windows\system32\x-atmfd.dll didnât work totally in both the directories system32 and syswoW64
If your are running the action repeatedly, youâll need to delete the Target file first. The 'movec command in ActionScript will not overwrite an existing file, so add a delete command first.
each time we are trying it on a new server where everything as default. strange think is that if you notice , if we fix one line the other is not working as expected.
everything is working fine except that we added the line as per solution requirement /save atmfd.dll.acl
if we remove this line as is the action is working fine.