PhantomRPC: A new privilege escalation technique in Windows RPC

Summary

Kaspersky researcher Haidar Kabibo disclosed PhantomRPC, a vulnerability in Windows RPC architecture that allows attackers with impersonation privileges to escalate to SYSTEM level by creating fake RPC servers. The vulnerability differs from the 'Potato' exploit family and affects all Windows versions; Microsoft has not issued a patch despite proper disclosure. The research demonstrates five distinct exploitation paths leveraging RPC coercion, user interaction, and background service abuse.

Full text

Table of Contents IntroMSRPCImpersonation in WindowsInteraction between Group Policy service and TermServiceCoercing the Group Policy serviceRPC architecture flowIdentifying RPC calls to unavailable serversAdditional privilege escalation pathsUser interaction: From Edge to RDPBackground services: From WDI to RDPAbusing the Local Service account: From ipconfig to DHCPAbusing TimeVulnerability disclosureDetection and defenseConclusion Authors Haidar Kabibo Intro Windows Interprocess Communication (IPC) is one of the most complex technologies within the Windows operating system. At the core of this ecosystem is the Remote Procedure Call (RPC) mechanism, which can function as a standalone communication channel or as the underlying transport layer for more advanced interprocess communication technologies. Because of its complexity and widespread use, RPC has historically been a rich source of security issues. Over the years, researchers have identified numerous vulnerabilities in services that rely on RPC, ranging from local privilege escalation to full remote code execution. In this research, I present a new vulnerability in the RPC architecture that enables a novel local privilege escalation technique in all Windows versions. This technique enables processes with impersonation privileges to elevate their permissions to SYSTEM level. Although this vulnerability differs fundamentally from the “Potato” exploit family, Microsoft has not issued a patch despite proper disclosure. I will demonstrate five different exploitation paths that show how privileges can be escalated from various local or network service contexts to SYSTEM or high-privileged users. Some techniques rely on coercion, some require user interaction and some take advantage of background services. As this issue stems from an architectural weakness, the number of potential attack vectors is effectively unlimited; any new process or service that depends on RPC could introduce another possible escalation path. For this reason, I also outline a methodology for identifying such opportunities. Finally, I examine possible detection strategies, as well as defensive approaches that can help mitigate such attacks. MSRPC Microsoft RPC (Remote Procedure Call) is a Windows technology that enables communication between two processes. It enables one process to invoke functions that are implemented in another process, even though they are running in different execution contexts. The figure below illustrates this mechanism. Let us assume that Host A is running two processes: Process A and Process B. Process B needs to execute a function that resides inside Process A. To enable this type of interaction, Windows provides the Remote Procedure Call (RPC) architecture, which follows a client–server model. In this model, Process A acts as the RPC server, exposing its functionality through an interface, in our example, Interface A. Each RPC interface is uniquely identified by a Universally Unique Identifier (UUID), which is represented as a 128-bit value. This identifier enables the operating system to distinguish one interface from another. The interface defines a set of functions that can be invoked remotely by the RPC client implemented in Process B. In our example, the interface exposes two functions: Fun1 and Fun2. To communicate with the server, the RPC client must establish a connection through a communication endpoint. An endpoint represents the access point that enables transport between the client and the server. Because RPC supports multiple transport mechanisms, different endpoint types may exist, depending on the underlying transport. For example: When TCP is used as the transport layer, the endpoint is a TCP port. When SMB is used, communication occurs through a named pipe. When ALPC is used, the endpoint is an ALPC port. Each transport mechanism is associated with a specific RPC protocol sequence. For instance: ncacn_ip_tcp is used for RPC over TCP. ncacn_np is used for RPC over named pipes. ncalrpc is used for RPC over ALPC. In this research, I focus specifically on Advanced Local Procedure Call (ALPC) as the RPC transport mechanism. ALPC is a Windows interprocess communication mechanism that predates MSRPC. Today, RPC can leverage ALPC as an efficient transport layer for communication between processes located on the same machine. For simplicity, an ALPC port can be thought of as a communication channel similar to a file, where processes can send messages by writing to it, and receive messages by reading from it. When the client wants to invoke a remote function, for example, Fun1, it must construct an RPC request. This request includes several important pieces of information, such as the interface UUID, the protocol sequence, the endpoint, and the function identifier. In RPC, functions are not referenced by name, but by a numerical identifier called the operation number (OPNUM). Depending on the requirements of the call, the request may also contain additional structures, such as security-related information. Impersonation in Windows In Windows, impersonation enables a service to temporarily operate using another user’s security context. For example, a service may need to open a file that belongs to a user while performing a specific operation. By impersonating the calling user, the system allows the service to access that file, even if the service itself would not normally have permission to do so. You can read more about impersonation in James Forshaw’s book Windows Security Internals. This research focuses specifically on RPC impersonation. Instead of describing the interaction as a service and a user, I refer to the participants as a client and a server. In this model, the RPC server may temporarily adopt the identity of the client that initiated the request. To perform this operation, the RPC server can call the RpcImpersonateClient API, which causes the server thread to execute under the client’s security context. However, in some situations, a client may not want the server to be able to impersonate its identity. To control this behavior, Windows introduces the concept of an impersonation level. This defines how much authority the client grants the server to act on its behalf. These settings are defined as part of the Security Quality of Service (SQOS) parameters, specified using the SECURITY_QUALITY_OF_SERVICE structure. As you can see, this structure contains the impersonation level field, which determines the extent to which the server can assume the client’s identity. Impersonation levels range from Anonymous, where the server cannot impersonate the client at all, to Impersonate and Delegate, which allow the server to act fully on behalf of the client. At the same time, not every server process is allowed to impersonate a client. If any process could perform impersonation freely, it would pose a serious security risk. To prevent this, Windows requires the server process to possess a specific privilege called SeImpersonatePrivilege. Only processes with this privilege can successfully impersonate a client. This privilege is granted by default to certain service accounts, such as Local Service and Network Service. Interaction between Group Policy service and TermService The Group Policy Client service (gpsvc) is a core Windows service responsible for applying and enforcing group policy settings on a system. It runs under the SYSTEM account inside svchost.exe. When a group policy update is triggered, Windows uses an executable called gpupdate.exe. This tool can be executed with the /force flag to force an immediate refresh of all group policy settings. Internally, this executable communicates with the Group Policy service, which coordinates the update process. At a certain stage during this operation, the Group Policy service attempts to communicate with TermService (Terminal Service, the Remote Desktop Services service) using RPC. TermService is responsible for providing remote desktop fu

Indicators of Compromise

• malware — PhantomRPC

Entities