"It will come as no surprise that this complex, obscure, legacy protocol is full of memory corruption vulnerabilities," Ormandy said. "Many of the Component Object Model objects simply trust you to marshal pointers across the Advanced Local Procedure Call port, and there is minimal bounds checking or integer overflow checking.Overall, the risk here is limited as an attacker already needs access to your system before he can exploit this vulnerability to gain full access. The most interesting thing here perhaps is that this privilege escalation flaw has been part of Windows since 2001. More details at The Register.
"Some commands require you to own the foreground window or have other similar restrictions, but as you can lie about your thread id, you can simply claim to be that Window's owner and no proof is required."
With this in mind, Ormandy was able to develop a proof-of-concept tool that abused CTF, via Notepad, to launch a command-line shell with System-level privileges.
Windows XP-era text services framework bugs can give an attacker full access to your system
Posted on Wednesday, Aug 14 2019 @ 14:59 CEST by Thomas De Maesschalck