Sunday, August 18, 2019


TECH

Undocumented Windows Protocol Enabled Full System Compromise For 20 Years

Tavis Ormandy, one of Google’s most prominent security researchers and a member of Google’s Project Zero security research group, has uncovered an almost 20-year-old Windows design flaw that could allow attackers to fully compromise systems.
Ormandy said he couldn’t find any documentation about what the CTF protocol actually does, other than the fact that it’s part of the Windows Text Services Framework (MSCTF) and is present in all Windows versions since Windows XP and Office XP and newer.
According to him, an attacker could bypass any sandbox or security protection via the CTF subsystem:
"It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed.”
Ormandy commented that, normally, you would not see an unprivileged process be able to read data and send input to a high-privileged process. However, CTF breaks these assumptions, allowing limited-access processes to send input to privileged processes.
The Google researcher warned that this design flaw could be used to send commands to an elevated command window, read passwords out of dialogs, escape IL/AppContainer sandboxes by sending input to unsandboxed windows, and so on.
The attack surface exposed by the CTF subsystem could also allow attackers to use one compromised app to compromise another CTF client. He noted that the memory corruption bugs found in the CTF protocol could be exploited by attackers in the default state of the protocol, with no interaction from a system’s user being required.
Microsoft Partially Patches MSCTF Protocol
Microsoft released some partial mitigations in the recent August update bundle, which should prevent attackers from elevating privileges via calls to the Advanced Local Procedure Call (ALPC).
This flaw would have allowed an attacker to ”run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
According to BleepingComputer’ sources, Microsoft is preparing patches for other CTF-related issues.

Lucian Armasu
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

  INTEL Germany's largest hardware retailer has yet to sell a single Intel Core Ultra 200S CPU Intel's desktop Core Ultra 200 proces...

  • (no title)
    TECH In Memoriam: The Tech That Died in 2018 A bongo enthusiast once said, "time is a flat circle," which is a pretentious...
  • (no title)
      HONOR Model 60 Pro: Sparkling design and camera configuration confirmed by teaser image Honor is not due to unveil the Honor 60 series for...
  • (no title)
      OPPO New and unprecedented model Find X6 will debut with a huge photo sensor Oppo has a strong smartphone lineup lately, offering great fo...