Researching the recent Windows CTF Vulnerabilities

================
TL DR
================
There are no known mitigations for these vulnerabilities. Please see below for a more in-depth explanation.
================

With the release of a security updates by Microsoft in September and August to resolve vulnerabilities in the Windows ALPC and Windows Text Service Framework I wish to provide details on these vulnerabilities.

Why should these vulnerabilities be considered important?
If an attacker were to have ALREADY compromised a vulnerable Windows system, they can then use the exploits made available by Google’s Tavis Ormandy to fully compromise your system. They can obtain the highest level of privilege on it namely NT Authority\System (equivalent to root on a Linux system).

Ormandy found that the running ctfmon.exe of Windows allowed a standard user of Windows to hijack any Windows process even if that process was sandboxed within an AppContainer (a means of isolating sensitive/important processes making them harder to attack). When an attacker does so they can obtain administrative and under some circumstances NT Authority\System level access.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1235

How I can protect my organization and myself from these vulnerabilities?
Apart from installing the above linked to updates, I’m afraid no other mitigations are available. You will need to exercise standard vigilance/caution with opening links. Don’t open attachments you weren’t expecting even from trusted contacts.

This advice is an unfortunate outcome. I had a hypothesis that disabling the ctfmon.exe process (Windows XP, Windows Vista and Windows 7) or the Touch Keyboard and Handwriting Panel service in Windows 8.1 and 10 would mitigate this class of vulnerabilities. This was not the case, Ormandy’s tool worked regardless of whether the ctfmon.exe process was running or not, which now makes sense given how his tool exploits a deeply integrated feature of Windows with a scope much larger than that of the above mentioned process and service.

================
Proof of Concept
================
As a proof of concept on an un-patched version of Windows 10 Version 1903, I can confirm Tavis Ormandy’s CTFTool successfully provides you with both System and Administrative (depending on the type of exploit you run). Only administrative access is available for Windows 7, the tool does not incorporate the System level exploit for Windows 7. Further details of this tool are available at the following links:

https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html

https://github.com/taviso/ctftool

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.