Update — With this month’s patch Tuesday updates, Microsoft has finally addressed this vulnerability, tracked as CVE-2019-1162, by correcting how the Windows operating system handles calls to Advanced Local Procedure Call (ALPC).
A Google security researcher has just disclosed details of a 20-year-old unpatched high-severity vulnerability affecting all versions of Microsoft Windows, back from Windows XP to the latest Windows 10.
The vulnerability resides in the way MSCTF clients and server communicate with each other, allowing even a low privileged or a sandboxed application to read and write data to a higher privileged application.
MSCTF is a module in Text Services Framework (TSF) of the Windows operating system that manages things like input methods, keyboard layouts, text processing, and speech recognition.
In a nutshell, when you log in to your Windows machine, it starts a CTF monitor service that works as a central manager to handle communications between all clients, which are actually windows for each process running on the same session, through an ALPC (advanced local procedure call) port.
“You might have noticed the ctfmon service in task manager, it is responsible for notifying applications about changes in keyboard layout or input methods. The kernel forces applications to connect to the ctfmon service when they start, and then exchange messages with other clients and receive notifications from the service,” the researcher explained.
Tavis Ormandy from Google’s Project Zero Team discovered that since there is no access control or any kind of authentication in place for this interaction, any application, any user and even sandboxed processes can:
- connect to ctfmon ALPC port across all sessions,
- read and write the text of any window, from any other session,
- fake their thread id, process id, and HWND,
- pretend as a CTF service, tricking other applications, even privileged ones, to connect to it, or
- escape from sandboxes and escalate privileges.
“There is no access control in CTF, so you could connect to another user’s active session and take over any application, or wait for an Administrator to login and compromise their session,” Ormandy explains in a blog post published today.
“It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed.”
images from Hacker News