Tavis Ormandy, white hat hacker at Google’s Project Zero Team, disclosed technical details of a 20-year-old Windows vulnerability that is still unpatched .
The popular cyber security expert Tavis Ormandy,
The vulnerability, rated as high-severity, affects all versions of Microsoft Windows from Windows XP. Ormandy disclosed technical details
Ormandy explained that the
The flaw resides in the way MSCTF clients and server communicate with each other. The vulnerability could allow a low privileged or aÂ
According to Ormandy the lack of access control or any kind of authentication could allow any application, any user and even
connect to CTF session,allow CTF client to read and write the text of any window, from any other session to be a CTF service and getting other applications – even privileged applications – to connect to youpr etend- lie about thread id, process id, and HWND,
escape from sandboxes and escalate privileges.
“Now that I can compromise any CTF client, how do I find something useful to compromise?” reads a blog post published by the expert. “There is no access control in CTF, so you could connect to another user’s active session and take over any application, or wait for an Administrator to

Ormandy explained that the flaw in CTF protocol could allow attackers to bypass User Interface Privilege Isolation (UIPI), allowing an unprivileged process to:
- read sensitive text from any window of other applications, including passwords out of dialog boxes,
- gain SYSTEM privileges,
- take control of the UAC consent dialog,
- send commands to the administrator’s console session, or
- escape IL/AppContainer sandboxes by sending input to unsandboxed windows.
The expert published video proof-of-concept that shows how to trigger the flaw in Windows 10 to gain SYSTEM privileges.
Ormandy pointed out that the CTF protocol also contains several memory corruption vulnerabilities that can be exploited in a default configuration.
“Even without bugs, the CTF protocol allows applications to exchange input and read each other’s content. However, there are a lot of protocol bugs that allow taking complete control of almost any other application. It will be interesting to see how Microsoft decides to modernize the protocol,” the researcher concluded.
Ormandy released a tool dubbed CTF Exploration Tool he has developed to discover security issues in the Windows CTF protocol.
Ormandy responsibly reported the flaws to Microsoft in
|
(