Undocumented Windows Protocol Enabled Full System Compromise For 20 Years

Credit: Who is Danny / ShutterstockCredit: Who is Danny / Shutterstock

Tavis Ormandy, one of Google’s most prominent security researchers and a member of Google’s Project Zero security research group, has uncovered an almost 20-year-old Windows design flaw that could allow attackers to fully compromise systems. 

Ormandy said he couldn’t find any documentation about what the CTF protocol actually does, other than the fact that it’s part of the Windows Text Services Framework (MSCTF) and is present in all Windows versions since Windows XP and Office XP and newer. 

According to him, an attacker could bypass any sandbox or security protection via the CTF subsystem:

"It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed.”

Ormandy commented that, normally, you would not see an unprivileged process be able to read data and send input to a high-privileged process. However, CTF breaks these assumptions, allowing limited-access processes to send input to privileged processes.

The Google researcher warned that this design flaw could be used to send commands to an elevated command window, read passwords out of dialogs, escape IL/AppContainer sandboxes by sending input to unsandboxed windows, and so on. 

The attack surface exposed by the CTF subsystem could also allow attackers to use one compromised app to compromise another CTF client. He noted that the memory corruption bugs found in the CTF protocol could be exploited by attackers in the default state of the protocol, with no interaction from a system’s user being required.

Microsoft Partially Patches MSCTF Protocol

Microsoft released some partial mitigations in the recent August update bundle, which should prevent attackers from elevating privileges via calls to the Advanced Local Procedure Call (ALPC). 

This flaw would have allowed an attacker to ”run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

According to BleepingComputer’ sources, Microsoft is preparing patches for other CTF-related issues.

1 comment
    Your comment
  • JQB45
    Perhaps a hidden backdoor that was found by the public some 20 years later? What else is WCTFS good for?