A new architectural vulnerability in Windows Remote Procedure Call (RPC), dubbed "PhantomRPC," allows for local privilege escalation by exploiting how the OS handles connections to unavailable services. Discovered by Kaspersky researcher Haidar Kabibo, the flaw enables a low-privileged attacker to deploy a malicious RPC server that mimics a legitimate service. When a high-privileged process attempts to connect to the intended service, the attacker can impersonate the client to elevate their privileges to SYSTEM level.
Despite the demonstration of five distinct exploit paths, Microsoft has classified the issue as "moderate severity" and declined to issue a CVE or a patch, stating that the attack requires the SeImpersonatePrivilege to succeed. Security teams are advised to implement Event Tracing for Windows (ETW) to monitor for RPC exceptions and to strictly limit the assignment of impersonation privileges to mitigate potential abuse.
Top comments (0)