Wednesday, 14 August 2019

Google Discloses 20-Year-Old Unpatched Flaw Affecting All Versions of Windows

ctfmon windows vulnerabilities
A Google security researcher has just disclosed details of a 20-year-old unpatched high-severity vulnerability affecting all versions of Microsoft Windows, back from Windows XP to the latest Windows 10.

The vulnerability resides in the way MSCTF clients and server communicate with each other, allowing even a low privileged or a sandboxed application to read and write data to a higher privileged application.

MSCTF is a module in Text Services Framework (TSF) of the Windows operating system that manages things like input methods, keyboard layouts, text processing, and speech recognition.

In a nutshell, when you log in to your Windows machine, it starts a CTF monitor service that works as a central authority to handle communications between all clients, which are actually windows for each process running on the same session.

"You might have noticed the ctfmon service in task manager, it is responsible for notifying applications about changes in keyboard layout or input methods. The kernel forces applications to connect to the ctfmon service when they start, and then exchange messages with other clients and receive notifications from the service," the researcher explained.

Tavis Ormandy from Google's Project Zero Team discovered that since there is no access control or any kind of authentication in place for this interaction, any application, any user and even sandboxed processes can:

  • connect to CTF session,
  • read and write the text of any window, from any other session,
  • fake their thread id, process id, and HWND,
  • pretend as a CTF service, tricking other applications, even privileged ones, to connect to it, or
  • escape from sandboxes and escalate privileges.

"There is no access control in CTF, so you could connect to another user's active session and take over any application, or wait for an Administrator to login and compromise their session," Ormandy explains in a blog post published today.

"It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed."

If exploited, the weakness in CTF protocol could allow attackers to easily bypass User Interface Privilege Isolation (UIPI), letting even an unprivileged process to:

  • read sensitive text from any window of other applications, including passwords out of dialog boxes,
  • gain SYSTEM privileges,
  • take control of the UAC consent dialog,
  • send commands to the administrator's console session, or
  • escape IL/AppContainer sandboxes by sending input to unsandboxed windows.

Ormandy has also published a proof-of-concept video demonstrating how the issue can be exploited to gain SYSTEM privileges in Windows 10.

Besides this, CTF protocol reportedly also contain many memory corruption flaws that, according to the researcher, can be exploited in a default configuration.

"Even without bugs, the CTF protocol allows applications to exchange input and read each other's content. However, there are a lot of protocol bugs that allow taking complete control of almost any other application. It will be interesting to see how Microsoft decides to modernize the protocol," Ormandy says.

The researcher has also released a custom open-source "CTF Exploration Tool" on Github that he developed and used to discover many critical security issues in the Windows CTF protocol.

Ormandy responsibly reported his findings to Microsoft in mid-May this year and released the details to the public today after Microsoft failed to address the issue within 90 days of being notified

Thursday, 25 July 2019

Joburg City Power hit by virus, affecting electricity purchases

A computer virus which has hit City Power has resulted in a blackout to its internet technology system, leaving scores of Johannesburg residents unable to purchase electricity, as their kilowatts approach 0.00.
The power utility’s spokesperson Isaac Mangena said the virus had attacked its database and other software, impacting on most of its applications and networks.
The virus has also prevented those who had already bought their electricity from uploading it to their meter boxes.
The City Power website is also affected by the virus.
"It may also affect our response to some outages, as the system to order and dispatch material is affected. City Power IT team has been working since early morning 01:00 to fix this problem," Mangena said.
He said they hoped to have the glitch fixed by midday on Thursday.
On Wednesday, the utility announced that it was experiencing capacity constraints due to the cold weather in Johannesburg.
Mangena said cold weather conditions could result in unplanned outages, as the electrical system experienced overloading when demand increased.
He said plans were in place to deal with unplanned outages. The key focus of the plan was to attend to those areas that experienced repeated unplanned outages on the same day or week, he said.
"We have also increased the number of technicians in areas that are prone to repeated unplanned power outages.
"More teams have been put on standby so that they can be dispatched to attend to outages and respond to emergency calls," he said.
Residents have been urged to use electricity sparingly during this time.