Microsoft CTF protocol can be exploited on all Windows versions

Google Project Zero disclosed a vulnerability in CTF, a Microsoft protocol used by all Windows versions since Windows XP that can be exploited with ease.

What is CTF?

What CTF stands is currently unknown: it is part of of the Windows Text Services Framework , that manages the text shown inside Windows applications.

When users start an app, Windows also starts a CTF client for that app, that receives instructions from a CTF server about the OS system language and the keyboard input methods, in order to change the language in each Windows app accordingly, and in real-time.

According to Tavis Ormandy, from Google Project Zero:

“You might have noticed the ctfmon service in task manager, it is responsible for notifying applications about changes in keyboard layout or input methods. The kernel forces applications to connect to the ctfmon service when they start, and then exchange messages with other clients and receive notifications from the service.

There is no access control in CTF, so you could connect to another user’s active session and take over any application, or wait for an Administrator to login and compromise their session”

So, with no access control or any kind of authentication in place for this interaction, an attackers can easily bypass User Interface Privilege Isolation, letting even an unprivileged process to:

  • read sensitive text from any window of other applications (including passwords out of dialog boxes)
  • gain SYSTEM privileges,
  • take control of the UAC consent dialog,
  • send commands to the administrator’s console session
  • escape sandboxes by sending input to unsandboxed windows.

Ormandy has also released a “CTF Exploration Tool” developed in order to discover many security issues in the Windows CTF protocol.


Is there a patch?

Not yet: the researcher reported his findings to Microsoft and released the details to the public after Microsoft failed to address the issue within 90 days of being notified.

Microsoft patched the bug as part of its August Patch Tuesday update.


References and further reading


Related posts

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.