Network Security, Vulnerability Management

Researcher details decades-old design flaws in Microsoft’s CTF protocol

Google Project Zero researcher Tavis Ormandy yesterday disclosed a series of 20-year-old flaws in Microsoft's CTF protocol that could allow unauthorized parties to take over applications that use said protocol.

According to Ormandy's blog post and technical analysis, the flaw is specifically found in the msctf subsystem, which is a component of the Text Services Framework that manages input methods, keyboard layouts, text processing and more.

In his analysis, Ormandy describes the CTF subsystem as a"vast and complex" environment, further noting in his blog post that the CTF protocol "allows applications to exchange input and read each other's content. However, there are a lot of protocol bugs that allow taking complete control of almost any other application."

"It took a lot of effort and research to reach the point that I could understand enough of CTF to realize it's broken," Ormandy continued in the blog post. "These are the kind of hidden attack surfaces where bugs last for years. It turns out it was possible to reach across sessions and violate NT security boundaries for nearly 20 years, and nobody noticed."

Microsoft addressed one of the issues Ormandy discovered, an ALPC elevation of privilege vulnerability (CVE-2019-1162), with a software update issued on Patch Tuesday yesterday. However, reports indicate that more patching may be necessary.

"An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft's vulnerability advisory states. "To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system."

In emailed comments, Richard Gold, head of security engineering at Digital Shadows, summed up Ormandy's discovery as follows: "Due to a lack of authentication, an unprivileged program can connect to a high-privileged program and spawn high-privileged processes. This is an effective privilege escalation technique."

"This technique can be exploited by a local user, so it does require the attacker having a user session on the machine. It is not a technique for gaining initial access to a machine, but for elevating privileges after a successful intrusion," Gold further explained. "This attack works by taking advantage of a built-in Windows feature, so it will be challenging to fix this. Digital Shadows tested it in its lab this afternoon and it worked great against a fully-patched Windows 10 system."

"Normally, an unprivileged process would not be permitted to send input or read data from a high privileged process. CTF breaks these assumptions, and allows an unprivileged processes to send input to privileged processes," said Chris Morales, head of security analytics at Vectra, in his own emailed comments. "So if an attacker is able to gain access to an unprivileged user on a system, they could then use an exploit to trigger a command to privileged processes. As documented by the researcher, the obvious attacks are sending commands to an elevated command window, reading passwords out of dialogs, [and] escaping an app container sandboxes by sending data to an uncontained app.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.