We checked and yup, it's no longer 2001. And yet you can pwn a Windows box via Notepad.exe
Google guru shows how WinXP-era text code grants total control
Patch Tuesday Software buried in Windows since the days of WinXP can be abused to take complete control of a PC with the help of good ol' Notepad and some crafty code.
On Tuesday, ace bug-hunter Tavis Ormandy, of Google Project Zero, detailed how a component of the operating system's Text Services Framework, which manages keyboard layouts and text input, could be exploited by malware or rogue logged-in users to gain System-level privileges. Such level of access would grant software nasties and miscreants total control over, and surveillance of, the computer.
After a lengthy investigation, Ormandy discovered that the component in question, CTextFramework aka CTF, which dates as far back as the Windows XP era, is riddled with security flaws, which can be exploited via applications that interact with it to handle text on screen.
"It will come as no surprise that this complex, obscure, legacy protocol is full of memory corruption vulnerabilities," Ormandy said. "Many of the Component Object Model objects simply trust you to marshal pointers across the Advanced Local Procedure Call port, and there is minimal bounds checking or integer overflow checking.
"Some commands require you to own the foreground window or have other similar restrictions, but as you can lie about your thread id, you can simply claim to be that Window's owner and no proof is required."
What do Windows 10 and Uber or Lyft have in common? One bad driver can really ruin your day. And 40 can totally ruin your monthREAD MORE
With this in mind, Ormandy was able to develop a proof-of-concept tool that abused CTF, via Notepad, to launch a command-line shell with System-level privileges.
"The obvious attack is an unprivileged user injecting commands into an Administrator's console session, or reading passwords as users log in. Even sandboxed AppContainer processes can perform the same attack," Ormandy explained.
"Another interesting attack is taking control of the UAC consent dialog, which runs as NT AUTHORITY\SYSTEM. An unprivileged standard user can cause consent.exe to spawn using the 'runas' verb with ShellExecute(), then simply become System."
In the grand scheme of things, the uncovered flaws, while fascinating, are not totally Earth shattering. Elevation-of-privilege holes in Windows are a dime a dozen, and Microsoft patches what feels like scores of them a year. In order to abuse CTF, a scumbag has to be running code on your machine anyway, which is not a good situation.
Threat modeling aside, the fact that the vulnerability was found in a basic component of Windows that had been exposed to applications for more than a decade is both a testament to Ormandy's skill at bug-hunting and an example of just how complex and voluminous Windows has become over its thirty-year-plus lifetime, and what a massive challenge that complexity presents Microsoft's engineers from a security standpoint.
"These are the kind of hidden attack surfaces where bugs last for years," Ormandy noted. "It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed." ®