Windows Vulnerability Exploited Through Notepad

Software that has been “buried” in Windows since the days of Windows XP can allow attackers to gain full control over the system. This attack is possible due to the CVE-2019-1162 vulnerability, which Microsoft addressed with security updates released on Tuesday, August 13, 2019.

Security researcher Tavis Ormandy explained how a component of the Text Services Framework (TSF) API can be used by malicious software or an authorized attacker to escalate privileges to the system level. With system-level privileges, malware or a cybercriminal can take complete control of a computer.

The vulnerability involves the CTextFramework (CTF) component, which has been part of TSF since Windows XP. “It’s not surprising that such a complex, obscure, and outdated protocol is full of memory corruption vulnerabilities. Many Component Object Model objects simply trust you to marshal pointers through the Advanced Local Procedure Call port, and boundary or integer overflow checks are minimal,” Ormandy explained.

According to the researcher, only the owner of the foreground window is supposed to be able to execute certain commands. However, an attacker can impersonate the owner of a targeted Windows PC without any proof, simply by lying about their thread identifier. As a result, Ormandy was able to write proof-of-concept code that exploited the CTF vulnerability through the Notepad application and launched a command shell with system privileges.

“Another interesting attack is taking control of the UAC dialog running as NT AUTHORITY\SYSTEM. An unprivileged standard user can initiate the launch of consent.exe using the ‘runas’ ShellExecute() command and gain system privileges,” Ormandy reported.

TSF is a software interface that enables text input independent of language and input devices.

Source

• Our other channels
• Our friends and partners