On Tuesday, Tavis Ormandy of Google's Project Zero released an exploit kit called
ctftool that uses and abuses the Microsoft Text Services Framework to effectively root anyone
] - ie
System - on any unpatched Windows 10 system you can log in to. The patches for this vulnerability, as well as some other serious issues, have been released in this week's Patch Tuesday update.
We independently verified Ormandy's proof-of-concept, and that's what's written on paper: Follow the instructions and you'll get a privileged prompt for
nt authority system a few seconds later. We also independently verified that the application of KB4512508 closed the vulnerability. After the security updates for August are installed, the exploit will stop working.
The full description of Ormandy's results is intriguing and technically incredibly detailed. At the TL; DR version is the Microsoft Text Services Framework that is used to provide multilingual support and has been available since Windows XP. It contains a library named
MSCTF.DLL . (There is no clear documentation that shows what Microsoft CTF should stand for, but with the release of this tool, it could be Capture The Flag.)
The Text Services Framework must monitor and modify user input in application windows to provide language services such as Simplified Chinese (Pinyin). If you install language support for Pinyin, you can see this in action. If the language is set to pinyin, you can enter any window, and suggestions for Chinese characters that match either your phonetic spelling (or whole words you've typed in English) appear in a submenu.
The characters in this window The submenu can be quickly selected using keyboard shortcuts that will replace the characters you type with the Chinese characters you have selected.
Ormandy did not start looking for problems in the Text Services Framework - all he really was looking for was confirmation that he could not send messages between processes from a non-privileged process to a privileged process. However, when he wrote a test case to send all sorts of messages to a Notepad.exe instance running as an administrator, he found that this was not the case: some of his inter-process messages went through unexpectedly.
If I send any possible message to a privileged window of an unprivileged process, the list should match the whitelist in win32k! IsMessageAlwaysAllowedAcrossIL and I can move on to something else.
Ah, I was so naive.
Tavis Ormandy, Google Project Zero
After Ormandy had identified the culprit as
MSCTF.DLL the next step was to find out what could be done with it. As he found out, the answer was "pretty much anything you want." The CTF protocol is an older system from 2001 with Office XP that even supports Windows 98. It was available with the base system as of Windows XP. The protocol did not implement any access control at all - even sandbox processes were able to connect to a CTF session outside of their sandbox. Clients report their thread ID, process ID, and window handle - but there was no validation and nothing prevented such a client from going through their teeth to get what they want Every function pointer in the referenced program ... and the CTF protocol catches exceptions . A client can effectively attack a target he does not know very well, without it crashing. You might think that address space layout randomization - a modern security technique that makes it harder to predict where vulnerable parts of an application are in memory - would make things harder. Unfortunately, you would be wrong, because the CTF marshaling protocol has told you where the monitor's stack is.
This would bring you to the monitor, but not yet in the client app that you actually wanted to own. This process requires repeated trial and error, but this trial can be automated in a script. That's exactly what Ormandy's proof-of-concept script did. When you run
ctf-consent-system.ctf in the tool, a UAC dialog box is created with the verb
runAs and the command
shellExecute () . Once the UAC dialog is in place,
ctftool uses the CTF framework to connect, test the connection, and allocate the stack. This takes a few seconds. Once this is done, it will call the internal function in
consent.exe . This indicates that a local user has successfully entered the requested credentials - and Bob is your uncle. You have an instance of
cmd.exe that is run as
nt authority system .
This vulnerability lurked undetected in the Windows stack for 20 years, and the consequences were even greater than the proof-of Concept Exploit - CTF can even be used on non-patched systems to bypass the AppContainer isolation used in the latest and probably the most secure applications, such as Microsoft Edge.
Listing Image by Rich Graessle / Icon Sportswire / Corbis on Getty Images