Several critical design flaws were found by Google Project Zero security researcher Tavis Ormandy in the CTF subsystem (MSCTF) of the Windows Text Services Framework (MSCTF), present in all versions going back as far as Windows XP.
The issues might go even further for Microsoft Offices users since, even though not present in the Windows XP base system, MSCTF would be installed on the system with the productivity suite.
Ormandy says that attackers who are already logged into a Windows system can take advantage of a huge attack surface stemming from MSCTF's design flaws. This could potentially allow them to fully compromise the entire system after exploiting them and gaining SYSTEM privileges.
"It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed," added the researcher.
Ormandy also published a video demo on YouTube to show the dangers behind the MSCTF flaws by exploiting the protocol to hijack the Windows LogonUI—program used by the system to show the login screen—to gain SYSTEM privileges in Windows 10.
"A quick description of the attack would be that normally, an unprivileged process (for example, low integrity) would not be permitted to send input or read data from a high privileged process," says Ormandy. "CTF breaks these assumptions, and allows unprivileged processes to send input to privileged processes.
"The obvious attacks are sending commands to an elevated command window, reading passwords out of dialogs, escaping IL/AppContainer sandboxes by sending input to unsandboxed windows, and so on."
The attack surface exposed by the MSCTF design flaws could enable attackers to also launch new programs by using one compromised app to compromise another app's CTF client. If the original was running with elevated privileges, so would the newly launched program.
"This means you can compromise Calculator, and from there compromise any other CTF client.. even non AppContainer clients like explorer. On Windows 8 and earlier, compromising calc is as simple as any other CTF client," says Ormandy.
The memory corruption flaws found in the CTF protocol can be exploited by attackers in a default configuration, and are not dependent on the Windows language or regional settings.
And, as Ormandy adds, "this doesn't even begin to scratch the surface of potential attacks for users that rely on out-of-process TIPs, Text Input Processors."
Windows MSCTF protocol partially patched
Microsoft issued a security update tracked as CVE-2019-1162 to patch one of the issues Ormandy reported during May but, currently, it is unclear how many more bugs there are to patch to secure the MSCTF protocol if any.
According to Redmond, the security fix issued as part of the company's August Patch Tuesday patches an elevation of privilege vulnerability present in the way "Windows improperly handles calls to Advanced Local Procedure Call (ALPC)."
This flaw can be exploited by potential attackers who "could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
However, it is important to note that for unpatched Windows devices to be exploited the attackers would have to first authenticate before taking control of the vulnerable system.
Microsoft addressed the ALPC elevation of privilege bug by correcting the way Windows handles calls to ALPC and published security updates for Windows versions starting with Windows 7 for 32-bit Systems Service Pack 1 and up.
Here's a repository of all the code and tools I developed to explore this attack surface.https://t.co/d0rvni1jy3
— Tavis Ormandy (@taviso) August 13, 2019
An in-depth overview of how the flaws were found and the dangers behind them was published by the Google researcher yesterday after the 90 days since the issues were responsibly disclosed to Microsoft have passed.
Ormandy has also published a collection of tools and code for exploring the Windows MSCTF design flaws he found.
A Microsoft spokesperson told BleepingComputer that some of the related issues were resolved in an update released yesterday as part of the August 2019 Patch Tuesday updates.
We resolved issues related to CVE-2019-1162, in August.
Sources familiar with the flaws told BleepingComputer that Microsoft is still working on resolving other related vulnerabilities.
Comments
woody188 - 4 years ago
Keep wondering how long until Microsoft decides they need a team to investigate Chrome and Android and give back to Google what it's getting from them?
It's always hard to tell if Tavis picks more frequently on M$ products because it's easy or because Google has them targeted.