Tavis Ormandy of Google’s Project Zero recently released an exploit kit called ctftool, which uses and abuses Microsoft’s Text Services Framework in ways that can effectively get anyone rooter, a system that is, on any unpatched Windows 10 system they’re able to log in to. The patches for this vulnerability, along with several other critical issues, went out in this week’s Patch Tuesday upgrade.
Ormandy’s proof-of-concept was verified independently, and it’s precisely what it says on the tin: follow the directions and one can get an authority system privileged command prompt a few seconds later. It was also verified independently that applying KB4512508 made the vulnerability shut down. Once the August security updates were applied, the exploit no longer works.
The full writeup of Ormandy’s findings is fascinating and incredibly technically detailed. The TL; DR version is that Microsoft’s Text Services Framework, which is used to offer support to multiple languages and has been in place since Windows XP, has a library called MSCTF.DLL. (There’s no appropriate documentation demonstrating what Microsoft intended CTF to stand for, but with the launch of this tool, it might as well stand for Capture The Flag.)
The Text Services Framework needs to monitor, and alter, user input to application windows to provide language services such as Simplified Chinese (Pinyin). If you install language support for Pinyin, you can see this in action. With language set to Pinyin, you can type in any window and suggestions for Chinese characters that can match either your phonetic typing (or entire words you’ve typed in English) will appear in a sub-menu.
The characters in this sub-menu can be rapidly selected with keyboard shortcuts, which will then replace what you typed with the Chinese characters you selected.
Ormandy didn’t start out looking for problems in the Text Services Framework—all he was looking for was confirmation that he couldn’t send inter-process messages from an unprivileged process to a privileged process. But when he wrote a test case to send all possible messages to a Notepad.exe instance running as Administrator, he discovered that wasn’t the case: some of his inter-process messages unexpectedly went through.