Posted on Wednesday, August 14 2019 @ 14:59 CEST by Thomas De Maesschalck
Besides the
four wormable Windows vulnerabilities that got patched today, Microsoft also patched a text input vulnerability that could be exploited to gain System-level privileges. The vulnerability, which was discovered by Google Project Zero researcher Tavis Ormandy, resides in the Text Services Framework, a service that handles keyboard layout and text input. This framework has been part of Windows since the Windows XP days and appears to be riddled with security flaws:
"It will come as no surprise that this complex, obscure, legacy protocol is full of memory corruption vulnerabilities," Ormandy said. "Many of the Component Object Model objects simply trust you to marshal pointers across the Advanced Local Procedure Call port, and there is minimal bounds checking or integer overflow checking.
"Some commands require you to own the foreground window or have other similar restrictions, but as you can lie about your thread id, you can simply claim to be that Window's owner and no proof is required."
With this in mind, Ormandy was able to develop a proof-of-concept tool that abused CTF, via Notepad, to launch a command-line shell with System-level privileges.
Overall, the risk here is limited as an attacker already needs access to your system before he can exploit this vulnerability to gain full access. The most interesting thing here perhaps is that this privilege escalation flaw has been part of Windows since 2001.
More details
at The Register.
