ctfmon windows vulnerabilities

Update — With this month's patch Tuesday updates, Microsoft has finally addressed this vulnerability, tracked as CVE-2019-1162, by correcting how the Windows operating system handles calls to Advanced Local Procedure Call (ALPC).

A Google security researcher has just disclosed details of a 20-year-old unpatched high-severity vulnerability affecting all versions of Microsoft Windows, back from Windows XP to the latest Windows 10.

The vulnerability resides in the way MSCTF clients and server communicate with each other, allowing even a low privileged or a sandboxed application to read and write data to a higher privileged application.

MSCTF is a module in Text Services Framework (TSF) of the Windows operating system that manages things like input methods, keyboard layouts, text processing, and speech recognition.

In a nutshell, when you log in to your Windows machine, it starts a CTF monitor service that works as a central manager to handle communications between all clients, which are actually windows for each process running on the same session, through an ALPC (advanced local procedure call) port.

"You might have noticed the ctfmon service in task manager, it is responsible for notifying applications about changes in keyboard layout or input methods. The kernel forces applications to connect to the ctfmon service when they start, and then exchange messages with other clients and receive notifications from the service," the researcher explained.

Tavis Ormandy from Google's Project Zero Team discovered that since there is no access control or any kind of authentication in place for this interaction, any application, any user and even sandboxed processes can:

  • connect to ctfmon ALPC port across all sessions,
  • read and write the text of any window, from any other session,
  • fake their thread id, process id, and HWND,
  • pretend as a CTF service, tricking other applications, even privileged ones, to connect to it, or
  • escape from sandboxes and escalate privileges.

"There is no access control in CTF, so you could connect to another user's active session and take over any application, or wait for an Administrator to login and compromise their session," Ormandy explains in a blog post published today.

"It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed."

If exploited, the weakness in CTF protocol could allow attackers to easily bypass User Interface Privilege Isolation (UIPI), letting even an unprivileged process to:

  • read sensitive text from any window of other applications, including passwords out of dialog boxes,
  • gain SYSTEM privileges,
  • take control of the UAC consent dialog,
  • send commands to the administrator's console session, or
  • escape IL/AppContainer sandboxes by sending input to unsandboxed windows.

Ormandy has also published a proof-of-concept video demonstrating how the issue can be exploited to gain SYSTEM privileges in Windows 10.

Besides this, CTF protocol reportedly also contain many memory corruption flaws that, according to the researcher, can be exploited in a default configuration.

"Even without bugs, the CTF protocol allows applications to exchange input and read each other's content. However, there are a lot of protocol bugs that allow taking complete control of almost any other application. It will be interesting to see how Microsoft decides to modernize the protocol," Ormandy says.

The researcher has also released a custom open-source "CTF Exploration Tool" on Github that he developed and used to discover many critical security issues in the Windows CTF protocol.

Ormandy responsibly reported his findings to Microsoft in mid-May this year and released the details to the public today after Microsoft failed to address the issue within 90 days of being notified.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.