A Kaspersky researcher discloses PhantomRPC, a novel local privilege escalation vulnerability in Windows RPC architecture. The flaw allows processes with SeImpersonatePrivilege to deploy fake RPC servers mimicking legitimate services, then intercept high-impersonation-level RPC calls from privileged processes to escalate to SYSTEM or Administrator. Five exploitation paths are demonstrated: coercing Group Policy service, waiting for Edge startup, exploiting WDI background calls, abusing ipconfig/DHCP interaction, and exploiting w32tm.exe connecting to a nonexistent named pipe. Microsoft classified the issue as moderate severity and declined to patch it, citing the prerequisite of SeImpersonatePrivilege. The researcher provides ETW-based detection tooling and a methodology for discovering similar RPC attack surfaces.
Table of contents
IntroMSRPCImpersonation in WindowsInteraction between Group Policy service and TermServiceCoercing the Group Policy serviceRPC architecture flowIdentifying RPC calls to unavailable serversAdditional privilege escalation pathsVulnerability disclosureDetection and defenseConclusionSort: