A newly found bug in an legacy Windows protocol can lead to real-world privilege-escalation attacks. According to a Threat Post article:
“The issue is with an obscure piece of functionality called CTF which is part of the Windows Text Services Framework,” explained Richard Gold, head of security engineering at Digital Shadows, speaking to Threatpost. “Programs running on a Windows machine connect to this CTF service, which manages things like input methods, keyboard layouts, text processing, etc.”
As such, it also can be used as a bridge between different windows on a desktop. In his writeup, Ormandy noted in a blog post on Tuesday, “You might have noticed the ‘ctfmon’ service in Task Manager. It is responsible for notifying applications about changes in keyboard layout or input methods. The kernel forces applications to connect to the ctfmon service when they start, and then exchange messages with other clients and receive notifications from the service.”
In cross-application communication, an authentication mechanism would ordinarily ensure that privileged processes are isolated from unprivileged processes. However, due to a lack of authentication in CTC, an unprivileged program running in one window can use it to connect to a high-privileged program in another, spawning high-privileged processes.
“These various windows can run with different privilege levels, and there should exist some boundaries between the levels,” explained Dustin Childs, manager with Trend Micro’s ZDI, in an email to Threatpost. “Tavis found a way to communicate between various permissions levels through the CTF protocol, which has existed in Windows for some time.”
From a technical perspective, the flaw is being exploited via the Input Method Editor (IME), according to Todd Schell, senior product manager of security for Ivanti.
“When you log into a system using one of the Asian languages, you are set up by the IME with an input profile with enhanced capabilities,” he explained. “This is pretty severe because it bypasses the User Interface Privilege Isolation (UIPI) features of the OS.”