"The local privilege escalation issue potentially affects all Windows versions and abuses another legitimate Windows mechanism, where processes are allowed to impersonate other processes to perform specific actions."
"To exploit PhantomRPC, an attacker needs to compromise a privileged service, deploy a fake RPC server, listen to specific requests, and then impersonate the targeted service to escalate their privileges."
"Furthermore, the RPC runtime does not verify the legitimacy of RPC servers, and processes are allowed to deploy RPC servers exposing the same endpoints as legitimate services."
"The attacker could compromise a service running under the Network Service account and deploy a fake RPC server with the RPC interface UUID and exposed endpoint name as TermService, the default Remote Desktop service."
A vulnerability named PhantomRPC in the Windows Remote Procedure Call (RPC) mechanism enables local privilege escalation for attackers. This issue affects all Windows versions and exploits the ability of processes to impersonate others. The architectural weakness allows any process relying on RPC to become a potential escalation path. Attackers can compromise a privileged service, deploy a fake RPC server, and impersonate targeted services to gain elevated privileges. The RPC runtime's failure to verify server legitimacy exacerbates this vulnerability.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]