A two-decades old security flaw in Windows and Office involving the Text Services Framework module named MSCTF has been publicly disclosed by Google’s Project Zero team. Initially, it was first introduced to Windows XP as part of the operating system, it was optionally installable to Windows 98 and newer, also as part of OfficeXP. As described by Project Zero Security researcher, Tavis Ormandy in Google’s Project Zero blog, MSCTF was built on legacy designs riddled with flaws. Design decisions (read/write access escalation.) that can never be implemented by today’s security-conscious standard, but only happened to be part of Windows and Office for two decades and still counting. This makes MSCTF security flaws as the longest-running vulnerability in Windows, even with today’s latest 1903 built of Windows 10.
On all versions of Windows XP that has MSCTF (optional with Windows 98), it automatically starts as a background process as soon as the user logs in. It is the process that handles text processing, speech recognition, keyboard layout, and input methods. “You might have noticed the ctfmon service in task manager, it is responsible for notifying applications about changes in keyboard layout or input methods. The kernel forces applications to connect to the ctfmon service when they start, and then exchange messages with other clients and receive notifications from the service,” explained Ormandy.
MSCTF’s main flaw is it lacks authentication checks to connect to it, any user and any app even if sandboxed can connect without asking any permission. This enables any user or app to read and even modify the text from any window. Creation of dummy session ID, process ID and hardware IT is also possible, all without authentication as well. MSCTF can also be used for a sandbox app to escape to the operating system. “There is no access control in CTF, so you could connect to another user’s active session and take over any application, or wait for an Administrator to login and compromise their session. However, there is a better option: If we use USER32!LockWorkstation we can switch to the privileged Winlogon desktop that is already running as SYSTEM!,” added Ormandy.
CTF for better or for worse has the capability to bypass the security checks in the Windows operating system itself, which is a very bad design during the days of pre-NT (Windows 98). Such behavior is not normal in the NT-based Windows operating system, where authentication is strictly enforced by the subsystem. MSCTF is like having full control of the whole operating system, encumbered by the Windows User Account Control.
“It took a lot of effort and research to reach the point that I could understand enough of CTF to realize it’s broken. These are the kind of hidden attack surfaces where bugs last for years. It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed. Now that there is tooling available, it will be harder for these bugs to hide going forward,” concluded Ormandy.