This research introduces PhantomRPC, a novel local privilege escalation (LPE) technique targeting the Windows Remote Procedure Call (RPC) architecture. The vulnerability stems from a design flaw where the RPC runtime fails to verify the legitimacy of servers. By deploying a malicious RPC server that mimics an unavailable but expected system service, an attacker with SeImpersonatePrivilege (typically held by Network or Local Service accounts) can intercept calls from high-privileged processes. When a process like the Group Policy service or Microsoft Edge attempts to connect with a high impersonation level, the attacker can use the RpcImpersonateClient API to elevate their privileges to SYSTEM or Administrator.
The author identifies multiple exploitation paths, including background services like the Diagnostic System Host (WDI) and user-triggered actions. Despite disclosure to Microsoft, the issue remains unpatched as it is classified as a moderate architectural weakness rather than a high-severity bug. To defend against these attacks, organizations should monitor for RPC_S_SERVER_UNAVAILABLE errors using Event Tracing for Windows (ETW) and adhere to the principle of least privilege by limiting the assignment of impersonation rights.
Top comments (0)