Google Project Zero Specialist Tavis Ormandy has discovered a dangerous MSCTF related issue. The bug appeared almost 20 years ago and affects all versions of Windows, starting with XP and ending with the latest versions of Windows 10. Attackers or malware that are already attached to the user’s computer can use CTF to capture control of any application (including with high privileges) or control over OS in general.[dropcap]I[/dropcap]n fact, CTF is part of the Windows Text Services Framework (TSF), a system that controls the text displayed in Windows applications and the OS itself. So, when a user launches an application, at the same time Windows launches the CTF client for this application. The client receives instructions from the CTF server about the system language and keyboard input methods. If the input method changes from one language to another, then the server notifies all CTF clients that accordingly change the language in each Windows application in real time.
Ormandy found that communications between the client and server are not properly secured. The researcher writes that CTF does not have access control at all, which means that any application and user can connect to any active CTF session, and this even applies to processes from the sandbox. Since authentication is not required, you can simply lie about the HWND, the process identifier, and so on.
“Thus, you can connect to any active session of another user and capture any application. Or you can wait until the administrator enters the system and compromise his session”, – writes Ormandi.
Criminals can use this loophole to steal data from other applications, or to issue commands on behalf of these applications. Worse, if the application runs with high privileges, an attacker can even take complete control of the victim’s computer.
Google expert explains that in this way you can literally attack any Windows application or process. It is all about the role of CTF: it shows the text inside every application and service, that is, a CTF session exists in the literal sense for everything and everything, including every element of the user interface in Windows.
So, attackers can easily bypass user interface privilege isolation (UIPI), and this will allow:
- read confidential text from any window of other applications, including passwords from dialog boxes;
- get SYSTEM privileges;
- take control of the UAC dialogue;
- send commands to the console session of the administrator;
- Escape from the IL / AppContainer sandbox.
As proof of his words, Ormandy demonstrated the exploitation of the problem in business by publishing two PoC videos.
The researcher also published on GitHub a special tool for CTF Exploration, which was developed specifically for testing MSCTF. Other experts can be use it in further search for vulnerabilities.[box]Microsoft officials told ZDNet that they had already fixed the CTF vulnerability as part of the August update Tuesday. The problem received identifier CVE-2019-1162. However, Ormandy doubts that this will be enough, since the vulnerability is deeply rooted in the protocol and its design. Currently, the expert is wondering if Microsoft engineers will have to upgrade CTF.[/box]