Vulnerability in Microsoft CTF protocol goes back to Windows XP

Insecure CTF protocol allows hackers to hijack any Windows app, escape sandboxes, get admin rights.
Written by Catalin Cimpanu, Contributor
Microsoft Windows logo

CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited with ease.

According to Tavis Ormandy, a security researcher with Google's Project Zero elite security team and the one who discovered the buggy protocol, hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole.

What is CTF?

What CTF stands is currently unknown. Even Ormandy, a well-known security researchers wasn't able to find what it means in all of Microsoft documentation.

What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications.

When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods.

If the OS input method changes from one language to another, then the CTF server notifies all CTF clients, who then change the language in each Windows app accordingly, and in real-time.

CTF, the gateway to... everything

What Ormandy discovered is that the communications between CTF clients and the CTF servers aren't properly authenticated or secured.

"There is no access control in CTF," Ormandy said.

"Any application, any user - even sandboxed processes - can connect to any CTF session. Clients are expected to report their thread id, process id and HWND, but there is no authentication involved and you can simply lie.

"So you could connect to another user's active session and take over any application, or wait for an Administrator to login and compromise their session."

An attacker that hijacks another app's CTF session can then send commands to that app, posing as the server -- normally expected to be the Windows OS.

Attackers can use this loophole to either steal data from other apps, or they can use it to issue commands in the name of those apps.

If the apps run with high-privileges, then those actions can even allow the attacker to take full control over a victim's computer.

And according to Ormandy, any app or Windows process is up for grabs. Because of CTF's role -- to show text inside ANY app or service -- there's a CTF session for literally everything and every user interface element on a Windows OS.

To prove this point, Ormandy recorded a demo in which he hijacked the CTF session of the Windows login screen, showing that everything is hackable in Windows because of CTF.

CTF hacking tool available online

Furthermore, earlier today, Ormandy also published a blog post explaining the CTF security issue in more depth, but also released a tool on GitHub that helps other researchers in testing the protocol for other issues.

It is unclear how Microsoft will patch the CTF problem. And this is a very big problem. The vulnerability may not allow hackers to break into computers, but it allows them one very easy way of getting admin rights on infected Windows systems.

For its part, Microsoft told ZDNet they patched the bug Ormandy reported this month. The CTF protocol vulnerability and fixes are tracked as CVE-2019-1162.

But as the vulnerability are deeply ingrained in the protocol and its design, it will remain to be seen if patches Microsoft released today as part of the August 2019 Patch Tuesday are enough.

"It will be interesting to see how Microsoft decides to modernize the protocol," Ormandy wondered.

Article updated on August 13, at 4:05pm, with information on patches.

Windows 10 apps: Which are worth keeping? Which ones should you dump?

More vulnerability reports:

Editorial standards