Pierluigi Paganini August 13, 2019

Tavis Ormandy, white hat hacker at Google’s Project Zero Team, disclosed technical details of a 20-year-old Windows vulnerability that is still unpatched.

The popular cyber security expert Tavis Ormandy, white hat hacker at Google’s Project Zero Team disclosed technical details of 20-year-old vulnerability that is still unpatched.

The vulnerability, rated as high-severity, affects all versions of Microsoft Windows from Windows XP. Ormandy disclosed technical details for several critical design issues in the msCTF module of the Windows kernel.

Ormandy explained that the msctf subsystem is part of the Text Services Framework (TSF), that manages input methods, keyboard layouts, text processing and other issues. The TSF is composed of the ctfmon server and the MSCTF client.

The flaw resides in the way MSCTF clients and server communicate with each other. The vulnerability could allow a low privileged or a sandboxed application to read and write data to a higher privileged application.

According to Ormandy the lack of access control or any kind of authentication could allow any application, any user and even sandboxed processes to:

• connect to CTF session,
• allow CTF client to read and write the text of any window, from any other session
• pretend to be a CTF service and getting other applications – even privileged applications – to connect to you
• lie about thread id, process id, and HWND,
• escape from sandboxes and escalate privileges.

“Now that I can compromise any CTF client, how do I find something useful to compromise?” reads a blog post published by the expert. “There is no access control in CTF, so you could connect to another user’s active session and take over any application, or wait for an Administrator to login and compromise their session,”

Ormandy explained that the flaw in CTF protocol could allow attackers to bypass User Interface Privilege Isolation (UIPI), allowing an unprivileged process to:

• read sensitive text from any window of other applications, including passwords out of dialog boxes,
• gain SYSTEM privileges,
• take control of the UAC consent dialog,
• send commands to the administrator’s console session, or
• escape IL/AppContainer sandboxes by sending input to unsandboxed windows.

The expert published video proof-of-concept that shows how to trigger the flaw in Windows 10 to gain SYSTEM privileges.

Ormandy pointed out that the CTF protocol also contains several memory corruption vulnerabilities that can be exploited in a default configuration.

“Even without bugs, the CTF protocol allows applications to exchange input and read each other’s content. However, there are a lot of protocol bugs that allow taking complete control of almost any other application. It will be interesting to see how Microsoft decides to modernize the protocol,” the researcher concluded.

Ormandy released a tool dubbed CTF Exploration Tool he has developed to discover security issues in the Windows CTF protocol.

Ormandy responsibly reported the flaws to Microsoft in mid-May, but the tech giant failed to address them within 90 days, so the experts decided to publicly release technical details of the issue.

Pierluigi Paganini

(SecurityAffairs – Windows, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]