Kaspersky Lab specialists reported the discovery of a new vulnerability in the Windows RPC mechanism, which was called PhantomRPC, reported xrust. Researchers warn that the problem could be used by attackers to escalate privileges all the way up to the SYSTEM level, one of the highest access levels in the Windows operating system.
According to experts, this is not a single error in a separate application or service, but an architectural feature of the remote procedure call (RPC) platform itself. This is why the potential danger of PhantomRPC is considered especially serious for corporate networks and workstations.
What is Windows RPC and why is it important
RPC (Remote Procedure Call) technology is one of the basic parts of Windows and is responsible for the interaction of processes and services within the system, as well as for the exchange of data between various components. Many system functions, network services, and administration tools operate through RPC.
The researchers explained that the vulnerability allows attackers to create fake RPC servers that are capable of intercepting requests and using user impersonation mechanisms. If the attacked process has the SeImpersonatePrivilege right, it is possible to escalate privileges to SYSTEM.
In fact, the attacker gains almost complete control over the device. This opens the way to installing malware, disabling security mechanisms, accessing sensitive data, and further spreading the attack within the network.
Experts called the number of attack scenarios “virtually unlimited”
class=»notranslate»>__GTAG7__In a technical report, Kaspersky Lab specialists described five different scenarios for using PhantomRPC. They all demonstrate the ability to escalate privileges from both local and network contexts.
At the same time, researchers emphasize that the number of potential attack options may be much greater. The reason lies in the Windows RPC architecture itself: different services, DLLs and third-party programs can create new communication chains that are suitable for exploiting the vulnerability.
Experts note that the set of possible scenarios depends on many factors:
- Windows version;
- system configurations;
- installed software;
- the presence of certain RPC services;
- DLL components used;
- organization security policies.
Because of this, risk assessment becomes a more complex task for information security specialists. The same mechanism can pose a minimal threat in one infrastructure and a critical one in another.
Why PhantomRPC is causing concern among experts
Elevation of privilege vulnerabilities are traditionally considered one of the most dangerous in the field of information security. Even if an attacker has already gained minimal access to the system, further exploitation of such errors allows him to gain a foothold in the infrastructure and gain almost unlimited capabilities.
In the case of PhantomRPC, an additional concern is the widespread use of RPC mechanisms in Windows. RPC is used in many system processes, so it is impossible to completely eliminate interaction with this technology.
Experts also note that the exploitation of such architectural features can complicate the detection of attacks by traditional security tools, especially if attackers use legitimate system mechanisms.
What protection measures does Kaspersky recommend
To reduce risks, Kaspersky Lab recommends that organizations strengthen monitoring of RPC activity and limit the use of the SeImpersonatePrivilege.
In particular, the company advises:
- implement ETW (Event Tracing for Windows) monitoring;
- monitor RPC errors and attempts to connect to unavailable servers;
- limit the issuance of SeImpersonatePrivilege only to truly necessary processes;
- audit third-party services and applications;
- strengthen control over Windows system services.
Experts emphasize that you should be especially careful with third-party software that has been granted extended system rights. It is these applications that can become an additional entry point for attackers.
The threat is relevant for corporate networks
PhantomRPC poses the greatest danger to corporate infrastructure, where remote interaction services, administration tools and a large number of system services are actively used.
Cybersecurity experts believe that organizations should check Windows security settings and audit access rights in advance. Even if mass attacks using PhantomRPC have not yet been recorded, the publication of technical details usually increases the interest of attackers in such methods.
Kaspersky Lab's research once again shows how important it remains to control the internal mechanisms of Windows and timely monitoring of suspicious activity in corporate systems.
From the pages of https://pokde.net
Xrust Kaspersky discovered a dangerous PhantomRPC vulnerability in Windows
