Software "buried" in Windows since the days of Windows XP allows you to take complete control over the system. The attack is possible due to the CVE-2019-1162 vulnerability patched by Microsoft with the release of security updates on Tuesday, August 13th.
Security researcher Tavis Ormandy discussed how the Text Services Framework (TSF) API component can be used by malware or an authorized attacker to escalate privileges to the system level. With system-level privileges, a malicious or cybercriminal can take complete control of the computer.
This is the CTextFramework (CTF) component that has been present in TSF since Windows XP. “It's no surprise that such a complex, obscure and outdated protocol is full of memory corruption vulnerabilities. Many Component Object Models simply trust you to marshal pointers through the Advanced Local Procedure Call port, and bounds or integer overflow checking is minimized, ”Ormandy explained.
According to the researcher, only the owner of the window in the foreground can execute some commands. However, an attacker can impersonate the owner of the attacked Windows PC without any proof, simply by lying about his thread ID. Therefore, Ormandy was able to write PoC code that allowed him to exploit the vulnerability in CTF through the Notepad application and launch a command line shell with system privileges.
“Another interesting attack is taking control of the UAC dialog launched as NT AUTHORITY \ SYSTEM. An unprivileged standard user can initiate consent.exe with the 'runas' ShellExecute () command and gain system privileges, ”Ormandy said.
TSF is a programming interface that allows language and device independent text input.
