This article reports vulnerability related to CTF protocol, a Microsoft protocol used by all Windows operating system versions since Windows XP. Check out this post from MiniTool to see how the vulnerability affects your computer security.
CTF is an undocumented Windows protocol involved with the Microsoft Text Services Framework. Despite being used by all Windows operating system versions since Windows XP, it is insecure and can be exploited easily.
Recently, a well-known security researcher, Tavis Ormandy, found a vulnerability in Microsoft CTF protocol, allowing hackers to hijack any Windows app and even get admin rights.
According to Tavis Ormandy, the security researcher of Google’s Project Zero elite security team, and the person who found the buggy protocol, hackers or malware that already have a foothold on the user’s computer can use the protocol to take over any application, high-privileged application, or even the entire operating system.
What Is CTF
What CTF actually stands for is unknown. Even for well-known security researchers such as Ormandy, they are unable to find its meaning in all of Microsoft documentation.
All they could found out it that the CTF is part of the Windows Text Services Framework (TSF), a COM framework and API in Windows XP and later Windows operating systems that support advanced text input and text processing, namely, the system that manages the text shown inside Windows and Windows applications.
When users start an app, Windows also starts a CTF client for that app. Then the CTF client received instructions from a CTF server in terms of the OS system language and the keyboard input methods.
If the operating system input method changes from one language to another, the CTF servers will notify all CTF clients, so the language in each Windows app will be changed accordingly. And it is real-time change.
The Impact of the Vulnerability in CTF Protocol
According to the notable security researcher Ormandy, he discovered that the communication between the CTF clients and the CTF servers are not properly authenticated or secured.
He claimed that any application, any user – even sandboxed processes – can connect to any CTF session. Clients should report their thread id, process id and HWND, but there is no authentication involved. And you can simply make up a lie.
And in this way, you can connect to another user’s active session and take over any application. You can also wait for an Administrator to login and compromise their session.
If the app’s CTF session has been hijacked successfully, then the attacker can send commands to that app, behaving like the server- normally the Windows operating system.
And the consequences are that the attacker can steal data from other apps and they can also issue some command in the name of those apps.
If the attacked app has high privileges, it is even worse. The attacker can even take full control over the victim’s computer.
Ormanly also recorded a demo to prove this. In the video, he hijacked the CTF session of the Windows login screen, proving that everything is hackable in Windows due to CTF.
CTF Hacking Tool Is Available Online
Recently, Ormandy published a blog post to explain the CTF vulnerability further. What more, he also released a tool on GitHub to help other users to test the protocol for other issues.
The vulnerability may not allow hackers to invade computers, but it allows them to gain administrator privileges on infected Windows systems in a very simple way, which is a big problem.
It is said that Microsoft has patched the bug Ormandy reported this month. The CTF protocol vulnerability and fixes are tracked as CVE-2019-1162. However, due to the deep-rooted vulnerabilities in the protocol and its design, it remains to be seen if patches Microsoft released are enough.