Vulnerability in Microsoft CTF protocol goes back to Windows XP

Microsoft Windows logo

CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited with ease.

According to Tavis Ormandy, a security researcher with Google’s Project Zero elite security team and the one who discovered the buggy protocol, hackers or malware that already have a foothold on a user’s computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole.

Currently, there are no patches for these bugs, and a quick fix isn’t expected, as the vulnerabilities are deeply ingrained in the protocol and its design.

What is CTF?

What CTF stands is currently unknown. Even Ormandy, a well-known security researchers wasn’t able to find what it means in all of Microsoft documentation.

What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications.

When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods.

If the OS input method changes from one language to another, then the CTF server notifies all CTF clients, who then change the language in each Windows app accordingly, and in real-time.

CTF, the gateway to… everything

What Ormandy discovered is that the communications between CTF clients and the CTF servers aren’t properly authenticated or secured.

“There is no access control in CTF,” Ormandy said.

“Any application, any user – even sandboxed processes – can connect to any CTF session. Clients are expected to report their thread id, process id and HWND, but there is no authentication involved and you can simply lie.

“So you could connect to another user’s active session and take over any application, or wait for an Administrator to login and compromise their session.”

An attacker that hijacks another app’s CTF session can then send commands to that app, posing as the server — normally expected to be the Windows OS.

Attackers can use this loophole to either steal data from other apps, or they can use it to issue commands in the name of those apps.

If the apps run with high-privileges, then those actions can even allow the attacker to take full control over a victim’s computer.

And according to Ormandy, any app or Windows process is up for grabs. Because of CTF’s role — to show text inside ANY app or service — there’s a CTF session for literally everything and every user interface element on a Windows OS.

To prove this point, Ormandy recorded a demo in which he hijacked the CTF session of the Windows login screen, showing that everything is hackable in Windows because of CTF.

CTF hacking tool available online

Furthermore, earlier today, Ormandy also published a blog post explaining the CTF security issue in more depth, but also released a tool on GitHub that helps other researchers in testing the protocol for other issues.

It is unclear how Microsoft will patch the CTF problem. And this is a very big problem. The vulnerabilities may not allow hackers to break into computers, but it allows them one very easy way of getting admin rights on infected Windows systems.

Microsoft has not returned a request for comment regarding the bugs found by Ormandy.

“It will be interesting to see how Microsoft decides to modernize the protocol,” Ormandy said.

More vulnerability reports:

Source Article from https://www.zdnet.com/article/vulnerability-in-microsoft-ctf-protocol-goes-back-to-windows-xp/#ftag=RSSbaffb68
Vulnerability in Microsoft CTF protocol goes back to Windows XP
https://www.zdnet.com/article/vulnerability-in-microsoft-ctf-protocol-goes-back-to-windows-xp/#ftag=RSSbaffb68
http://www.zdnet.com/blog/rss.xml
Latest blogs for ZDNet
Latest blogs for ZDNet
https://zdnet3.cbsistatic.com/fly/bundles/zdnetcore/images/logos/zdnet-144×144.png

Article written by

great guy, love the news

Please comment with your real name using good manners.

Leave a Reply

You must be logged in to post a comment.