CTF, is a little known protocol Microsoft which has been around since Windows XP and is still used today by all versions of Windows.
According to Tavis Ormandy, a security researcher from Google's Project Zero team found that the protocol is buggy, and hackers, or malware, can use it to take full ownership of the victim's computer.
What is CTF?
CTF is unknown. Even Ormandy, a well-known security researcher, couldn't find out what all the Microsoft documents mean.
What Ormandy discovered was that CTF is part of the Windows Text Services (TSF) framework of the system that manages any text that appears in Windows and Windows applications.
When users launch an application, Windows also launches a CTF client for that application. The CTF client reportedly receives commands from a CTF server for operating system language and keyboard input methods.
If something changes (for example changing language from Greek to English) the CTF server notifies all CTF clients who then change the language in each Windows application in real time.
So what Ormandy discovered is that communications between CTF servers and CTF clients are not properly encrypted.
Any application, any user - even with sandboxed processes - can log on to any CTF session.
So you could log in to another user's active connection and download any application or wait for someone Administrator connect and get higher privileges.
Attackers can use this gap to steal data from other applications or issue commands in the name of those applications.
If applications run at high privileges, then these actions could allow the attacker to gain full control of the victim's computer.
And according to Ormandy, any Windows application or process can be hacked. Because of CTF's role (it runs on every application or service) there is a CTF process for everything running on a operating system Windows.
To prove the vulnerability, Ormandy created a demo that you can see below:
In addition, the researcher explains precisely in a blog post, the CTF security gap, but also released a tool on GitHub to help other researchers test the protocol.
_________________________
- Dorothy the baby girl who became trendy with tweets from the fridge
- Windows: 40 drivers vulnerable to escalation of privileges
- Nmap 7.80 free Security Scanner for everyone
- PCLinuxOS 2019.08 friendly for Windows friends