Security researcher discovers memory vulnerabilities in Microsoft Windows CTF Protocol.
Said researcher then develops a tool to connect to and accept connections from other applications to the CTF Protocol. From there, activity and credentials can be grabbed, even privilege escalation performed.
CTF is apparently part of the framework that that manages keyboard formats, input, and processing of text.
Noteworthy:
Any application, any user - even sandboxed processes - can connect to any CTF session. Clients are expected to report their thread id, process id and HWND, but there is no authentication involved and you can simply lie.
Secondly, there is nothing stopping you pretending to be a CTF service and getting other applications - even privileged applications - to connect to you.
Note that ctf library catches all exceptions, so notepad doesn’t actually crash! This also means you get unlimited attempts at exploitation.
My tl;dr scratches the surface of what was in this article. It is really great work and goes into the mind of a security researcher a bit!
@catsay @SgtAwesomesauce @Token @anyoneinterestedininfosec
