Crazy Windows Exploit of CTF Protocol

Security researcher discovers memory vulnerabilities in Microsoft Windows CTF Protocol.

Said researcher then develops a tool to connect to and accept connections from other applications to the CTF Protocol. From there, activity and credentials can be grabbed, even privilege escalation performed.

CTF is apparently part of the framework that that manages keyboard formats, input, and processing of text.


Any application, any user - even sandboxed processes - can connect to any CTF session. Clients are expected to report their thread id, process id and HWND, but there is no authentication involved and you can simply lie.

Secondly, there is nothing stopping you pretending to be a CTF service and getting other applications - even privileged applications - to connect to you.

Note that ctf library catches all exceptions, so notepad doesn’t actually crash! This also means you get unlimited attempts at exploitation.

My tl;dr scratches the surface of what was in this article. It is really great work and goes into the mind of a security researcher a bit!

@catsay @SgtAwesomesauce @Token @anyoneinterestedininfosec


CTF - Capture the Flag :smirk:
I See what they did there


LOL I thought the same thing! He couldn’t find an actual definition for what it meant, but he has some speculation at the bottom of the article.

Read that article a couple days ago as well. It’s pretty silly how easy it’d be to use ctftool to pop shells. Gonna take some work on MS’s side of things