CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited with ease.
According to Tavis Ormandy, a security researcher with Google’s Project Zero elite security team and the one who discovered the buggy protocol, hackers or malware that already have a foothold on a user’s computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole.
Currently, there are no patches for these bugs, and a quick fix isn’t expected, as the vulnerabilities are deeply ingrained in the protocol and its design.
What is CTF?
What CTF stands is currently unknown. Even Ormandy, a well-known security researchers wasn’t able to find what it means in all of Microsoft documentation.
What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications.
When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods.
If the OS input method changes from one language to another, then the CTF server notifies all CTF clients, who then change the language in each Windows app accordingly, and in real-time.
CTF, the gateway to… everything
What Ormandy discovered is that the communications between CTF clients and the CTF servers aren’t properly authenticated or secured.
“There is no access control in CTF,” Ormandy said.
“Any application, any user – even sandboxed processes – can connect to any CTF session. Clients are expected to report their thread id, process id and HWND, but there is no authentication involved and you can simply lie.
“So you could connect to another user’s active session and take over any application, or wait for an Administrator to login and compromise their session.”
An attacker that hijacks another app’s CTF session can then send commands to that app, posing as the server — normally expected to be the Windows OS.
Attackers can use this loophole to either steal data from other apps, or they can use it to issue commands in the name of those apps.
If the apps run with high-privileges, then those actions can even allow the attacker to take full control over a victim’s computer.
And according to Ormandy, any app or Windows process is up for grabs. Because of CTF’s role — to show text inside ANY app or service — there’s a CTF session for literally everything and every user interface element on a Windows OS.
To prove this point, Ormandy recorded a demo in which he hijacked the CTF session of the Windows login screen, showing that everything is hackable in Windows because of CTF.
CTF hacking tool available online
Furthermore, earlier today, Ormandy also published a blog post explaining the CTF security issue in more depth, but also released a tool on GitHub that helps other researchers in testing the protocol for other issues.
It is unclear how Microsoft will patch the CTF problem. And this is a very big problem. The vulnerabilities may not allow hackers to break into computers, but it alows them one very easy way of getting admin rights on infected Windows systems.
Microsoft has not returned a request for comment regarding the bugs found by Ormandy.
“It will be interesting to see how Microsoft decides to modernize the protocol,” Ormandy said.
More vulnerability reports:
- Microsoft names top security researchers, zero-day contributors
- Apple expands bug bounty to macOS, raises bug rewards
- Clever attack uses SQLite databases to hack other apps, malware servers
- Researchers find security flaws in 40 kernel drivers from 20 vendors
- Unpatched KDE vulnerability disclosed on Twitter
- Security bugs in popular Cisco switch brand allow hackers to take over devices
- Google will now pay up to $30,000 for reporting a Chrome bug CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic
- HMS Queen Elizabeth, UK’s Largest Warship, Runs On Windows XP, Vulnerable To Hacking
- Windows XP Use May Violate Health Insurance Portability and Accountability Act (HIPAA) Starting April 8, 2014
- Federal Financial Institutions Examination Council (FFIEC) Warns on Windows XP
- Microsoft is ending XP support in April; Windows 7 and 8 await
- The True Story of the Microsoft Courier's Tragic Death
- Is Your Health Insurance Portability and Accountability Act (HIPAA) Compliance Program Going Out the Window with XP?
- State fears local election clerks vulnerable to cyberattacks
- The Microsoft Internet Explorer Saga: Microsoft Fined €561 Million for Failure to Keep Promises
- European Commission Probes Microsoft Again: Failure to Comply With Commitments Will Not be Tolerated
- Appeals Court Reinstates Uniloc Win in Microsoft Case, But Calls for New Trial re $390M Jury Award