Researcher details decades-old design flaws in Microsoft's CTF protocol

News by Bradley Barth

Microsoft's CTF protocol harboured a series of 20-year-old flaws that could allow unauthorised parties to take over applications that use said protocol

Google Project Zero researcher Tavis Ormandy has disclosed a series of 20-year-old flaws in Microsoft’s CTF protocol that could allow unauthorised parties to take over applications that use said protocol.

According to Ormandy’s blog post and technical analysis, the flaw is specifically found in the msctf subsystem, which is a component of the Text Services Framework that manages input methods, keyboard layouts, text processing and more.

In his analysis, Ormandy describes the CTF subsystem as a"vast and complex" environment, further noting in his blog post that the CTF protocol "allows applications to exchange input and read each other’s content. However, there are a lot of protocol bugs that allow taking complete control of almost any other application."

"It took a lot of effort and research to reach the point that I could understand enough of CTF to realise it’s broken," Ormandy continued in the blog post. "These are the kind of hidden attack surfaces where bugs last for years. It turns out it was possible to reach across sessions and violate NT security boundaries for nearly 20 years, and nobody noticed."

Microsoft addressed one of the issues Ormandy discovered, an ALPC elevation of privilege vulnerability (CVE-2019-1162), with a software update issued on Patch Tuesday. However, reports indicate that more patching may be necessary.

"An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft’s vulnerability advisory states. "To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system."

In emailed comments, Richard Gold, head of security engineering at Digital Shadows, summed up Ormandy’s discovery as follows: "Due to a lack of authentication, an unprivileged program can connect to a high-privileged program and spawn high-privileged processes. This is an effective privilege escalation technique."

"This technique can be exploited by a local user, so it does require the attacker having a user session on the machine. It is not a technique for gaining initial access to a machine, but for elevating privileges after a successful intrusion," Gold further explained. "This attack works by taking advantage of a built-in Windows feature, so it will be challenging to fix this. Digital Shadows tested it in its lab this afternoon and it worked great against a fully-patched Windows 10 system."

"Normally, an unprivileged process would not be permitted to send input or read data from a high privileged process. CTF breaks these assumptions, and allows an unprivileged processes to send input to privileged processes," said Chris Morales, head of security analytics at Vectra, in his own emailed comments. "So if an attacker is able to gain access to an unprivileged user on a system, they could then use an exploit to trigger a command to privileged processes. As documented by the researcher, the obvious attacks are sending commands to an elevated command window, reading passwords out of dialogs, [and] escaping an app container sandboxes by sending data to an uncontained app.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews