Skip to content
Browse files

document edit sessions

  • Loading branch information...
taviso committed Jul 30, 2019
1 parent 7cc825c commit 7f69492813d197d0925a13b24f9a975917b35334
Showing with 31 additions and 3 deletions.
  1. +31 −3
  2. BIN docs/edit-session-full.png
  3. BIN docs/edit-thumb.png
@@ -102,9 +102,8 @@ of the connected clients.

> If you don't want to build it yourself, check out the [releases]( tab
I used [GNU make]( and Visual Studio 2019 to develop `ctftool`.

Only 32-bit builds are supported, as this allows the tool to run on x86 and x64 Windows.
I used [GNU make]( and Visual
Studio 2019 to develop `ctftool`. Only 32-bit builds are supported, as thisallows the tool to run on x86 and x64 Windows.

If all the dependencies are installed, just typing `make` in a developer command
prompt should be enough.
@@ -225,6 +224,35 @@ If you're interested, I recommend watching it in a debugger. Note that you will
need to use the command `sxd av` and `sxd bpe` or the debugger will stop for
every write!

## Edit Session Attacks

Apart from memory corruption, a major vulnerability class exposed by CTF are
*edit session attacks*. Normally, an unprivileged process (for example, low
integrity) would not be permitted to send input or read data from a high
privileged process. This security boundary is called UIPI, *User Interface
Privilege Isolation*.

CTF breaks these assumptions, and allows unprivileged processes to send input
to privileged processes.

Their are some requirements for this attack to work, as far as I'm aware it
will only work if you have a display language installed that uses an OOP TIP,
*out-of-process text input processor*. Users that speak languages that use IMEs
(Chinese, Japanese, Korean, and so on) and users with a11y tools likely fall
into this category.

Example attacks include...

* Sending commands to an elevated command window.
* Reading passwords out of dialogs.
* Escaping sandboxes by sending input to unsandboxed windows.

There is an example [script](scripts/ctf-demo-editsession.ctf) in the scripts
directory that will send input to a notepad window to demonstrate how edit
sessions work.

[![Edit Session Screenshot](docs/edit-thumb.png)](docs/edit-session-full.png)

## Status

At the time of writing, it is unknown how Microsoft will change the CTF
Binary file not shown.
BIN +178 KB docs/edit-thumb.png
Binary file not shown.

0 comments on commit 7f69492

Please sign in to comment.
You can’t perform that action at this time.