20-Year-Old Bug in Legacy Microsoft Code Plagues All Windows Users

A bug in an obscure legacy Windows protocol can lead to serious real-world privilege-escalation attacks.

A 20-year-old vulnerability present in all versions of Microsoft Windows could allow a non-privileged user to run code that will give him or her full SYSTEM privileges on a target machine. The bug is notable because of where it resides: In a legacy, omnipresent protocol named Microsoft CTF.

First reported by Tavis Ormandy at Google Project Zero, the bug (CVE-2019-1162) is tracked by Microsoft as an APLC flaw with a severity level of “important.” Ormandy responsibly reported his findings to Microsoft in mid-May, and he released the details to the public this week, prior to the software giant’s Patch Tuesday update, after Microsoft failed to address the issue within 90 days of being notified.

The bug does have a patch now, as of late afternoon Tuesday.

CTF is problematic because it communicates with other Windows services without proper authentication.

“The issue is with an obscure piece of functionality called CTF which is part of the Windows Text Services Framework,” explained Richard Gold, head of security engineering at Digital Shadows, speaking to Threatpost. “Programs running on a Windows machine connect to this CTF service, which manages things like input methods, keyboard layouts, text processing, etc.”

As such, it also can be used as a bridge between different windows on a desktop. In his writeup, Ormandy noted in a blog post on Tuesday, “You might have noticed the ‘ctfmon’ service in Task Manager. It is responsible for notifying applications about changes in keyboard layout or input methods. The kernel forces applications to connect to the ctfmon service when they start, and then exchange messages with other clients and receive notifications from the service.”

In cross-application communication, an authentication mechanism would ordinarily ensure that privileged processes are isolated from unprivileged processes. However, due to a lack of authentication in CTC, an unprivileged program running in one window can use it to connect to a high-privileged program in another, spawning high-privileged processes.

“These various windows can run with different privilege levels, and there should exist some boundaries between the levels,” explained Dustin Childs, manager with Trend Micro’s ZDI, in an email to Threatpost. “Tavis found a way to communicate between various permissions levels through the CTF protocol, which has existed in Windows for some time.”

From a technical perspective, the flaw is being exploited via the Input Method Editor (IME), according to Todd Schell, senior product manager of security for Ivanti.

“When you log into a system using one of the Asian languages, you are set up by the IME with an input profile with enhanced capabilities,” he explained. “This is pretty severe because it bypasses the User Interface Privilege Isolation (UIPI) features of the OS.”

When it comes to what an attacker could do in a real-world setting, “there is no access control in CTF, so you could connect to another user’s active session and take over any application, or wait for an administrator to login and compromise their session,” Ormandy explained.

Possible attacks, according to Chris Morales, head of security analytics at Vectra, include sending commands to an elevated command window, reading passwords out of dialogs or escaping app container sandboxes by sending data to an uncontained app. It could also be used by malware if chained with another vulnerability.

“This vulnerability is especially dangerous in domain networks where elevating privileges might allow an attacker to acquire control of accounts privileged on other machines that are logged on the machine, move laterally and possibly compromise the entire domain,” added Roman Blachman, CTO and co-founder at Preempt, speaking to Threatpost.

This technique can only be exploited by a local user, so it does require the attacker having a user session on the machine, Morales said – it is not a technique for gaining initial access to a machine, but for elevating privileges after a successful intrusion.

CTF is a built-in Windows feature that has been around for about 20 years – and Morales pointed out that it’s persistent on every Windows system since XP, which would cover almost every Windows system deployed today.

Given their legacy nature and the size of the attack surface, services like these are ripe for bug-hunting.

“Microsoft’s operating systems consist of many services that were implemented to perform an original function but have continued to grow and be modified over the years by multiple developers,” Ivanti’s Schell told Threatpost. “This often results in new vulnerabilities surfacing. In this particular case, the vulnerability exists in ctfmon.exe which is a Microsoft Office process that works with the Windows operating system. It is a non-essential system process that runs in the background, even after quitting all programs.”

And indeed, Yaron Zinar, senior researcher at Preempt, told Threatpost that this particular service is riddled with holes.

“The API has many issues – it does not validate originator, open between privileged and non-privileged processes and – the crown jewel – it contains many memory-corruption bugs,” he said.

As for exploitation, Ormandy developed a working exploit that can extract NT AUTHORITYSYSTEM from an unprivileged user on up-to-date Windows 10 1903, which means he can get privileged access to the system.

“It took a lot of effort and research to reach the point that I could understand enough of CTF to realize it’s broken,” he wrote. “These are the kind of hidden attack surfaces where bugs last for years. It turns out it was possible to reach across sessions and violate NT security boundaries for nearly 20 years, and nobody noticed.”

Others validated the work. “Digital Shadows tested it in its lab this afternoon and it worked great against a fully-patched Windows 10 system,” Gold told Threatpost.

“The researcher from Google was able to create an exploit where he attacked the logon screen and run code as SYSTEM,” said Zinar. “It appears that some of the issues are not fully mitigated and it is possible more issues/way to exploit this interface will be discovered in the future.”

As noted, Microsoft patched the bug as part of its August Patch Tuesday update. Also, Schell said this can be mitigated by simply turning off the ctfmon service, “and is not an issue for most languages as they don’t use the enhanced input profile needed.”

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.