Windows XP-era text services framework bugs can give an attacker full access to your system

Posted on Wednesday, Aug 14 2019 @ 14:59 CEST by Thomas De Maesschalck
Besides the four wormable Windows vulnerabilities that got patched today, Microsoft also patched a text input vulnerability that could be exploited to gain System-level privileges. The vulnerability, which was discovered by Google Project Zero researcher Tavis Ormandy, resides in the Text Services Framework, a service that handles keyboard layout and text input. This framework has been part of Windows since the Windows XP days and appears to be riddled with security flaws:
"It will come as no surprise that this complex, obscure, legacy protocol is full of memory corruption vulnerabilities," Ormandy said. "Many of the Component Object Model objects simply trust you to marshal pointers across the Advanced Local Procedure Call port, and there is minimal bounds checking or integer overflow checking.

"Some commands require you to own the foreground window or have other similar restrictions, but as you can lie about your thread id, you can simply claim to be that Window's owner and no proof is required."

With this in mind, Ormandy was able to develop a proof-of-concept tool that abused CTF, via Notepad, to launch a command-line shell with System-level privileges.
Overall, the risk here is limited as an attacker already needs access to your system before he can exploit this vulnerability to gain full access. The most interesting thing here perhaps is that this privilege escalation flaw has been part of Windows since 2001. More details at The Register.

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments