New Local Privilege Escalation Vulnerability in Windows RPC
Researchers from Kaspersky Security Services have identified a critical architectural vulnerability in the Windows Remote Procedure Call (RPC) framework, which enables local privilege escalation for all Windows versions. This flaw allows processes with impersonation privileges to elevate their permissions to the SYSTEM level without requiring a patch from Microsoft, as the vulnerability has not been classified as high severity.
The research outlines five distinct exploitation paths that can lead to privilege escalation from various local or network service contexts. Techniques vary, with some requiring user action while others can be triggered by background services. Given the architectural nature of this vulnerability, it poses an expansive attack surface, as any new service or process relying on RPC could introduce additional escalation vectors.
The analysis demonstrated that common Windows services, such as the Group Policy Client and various system DLLs, utilize RPC for internal operations. Affected components include the Group Policy service and Terminal Services (TermService), both of which expose RPC interfaces that can be manipulated. Figures provided in the research illustrate the interaction between the Group Policy service and TermService, as well as typical attack flows that can be leveraged against high-privileged processes.
Defensive Context
This vulnerability is particularly relevant to organizations that run Windows systems utilizing Group Policy and Remote Desktop Services. Administrators should be aware that attackers with network access can exploit this flaw in configurations where impersonation is granted. Typically, systems with active Group Policies or those that enable Remote Desktop services will be at a greater risk of exploitation through this method, especially in environments where unmanaged services run under the Network Service account.
Organizations should closely monitor RPC interactions, particularly calls failing with a status code related to server unavailability. While the vulnerability does not necessitate immediate patching, proactively identifying and analyzing such calls can mitigate risks by averting potential exploitation.
Why This Matters
The risk is pronounced in environments that frequently interact with sensitive administrative functions via RPC, as successful exploitation can yield SYSTEM-level access, compromising the entire system. Enterprises, particularly those in sectors with stringent security requirements, should take this vulnerability seriously, given the potential for severe operational disruption.
Defender Considerations
Kaspersky has provided detection strategies that focus on monitoring RPC activity using Event Tracing for Windows (ETW). Organizations are advised to implement procedures to capture RPC interactions and failures, particularly those involving high impersonation levels. By keeping a close watch on these methods, security teams can identify attempts to exploit the underlying architecture by recognizing unexpected access requests, which could indicate an ongoing attack.
Indicators of Compromise (IOCs)
Although the article does not specify concrete IOCs, the common patterns in RPC failures, especially RPC_S_SERVER_UNAVAILABLE, should be monitored closely. Organizations should develop logs that capture relevant metadata around RPC interactions to improve visibility into potential attack vectors related to this vulnerability.
