Full Report
Kaspersky researcher discovered a vulnerability in RPC architecture that enables an attacker to create a fake RPC server and escalate their privileges.
Analysis Summary
# Vulnerability: PhantomRPC – Windows RPC Elevation of Privilege
## CVE Details
- **CVE ID:** CVE-2024-38060
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-285 (Improper Authorization)
## Affected Systems
- **Products:** Microsoft Windows and Windows Server
- **Versions:** This affects nearly all modern versions of Windows, including Windows 10, Windows 11, and Windows Server 2008 through 2022.
- **Configurations:** Systems where the Remote Procedure Call (RPC) service is running (default behavior in Windows).
## Vulnerability Description
The "PhantomRPC" vulnerability is a flaw in the Microsoft Remote Procedure Call (RPC) architecture. It exists because the RPC runtime fails to properly validate the identity of an RPC server when a client attempts to connect to it via a local named pipe.
Specifically, an attacker can create a "fake" RPC server with the same name as a legitimate, high-privileged service. When a high-privileged process (such as a system service) tries to communicate with the intended RPC server, it may inadvertently connect to the attacker-controlled pipe. The attacker can then use this connection to impersonate the calling service, effectively escalating their privileges from a standard user to SYSTEM level.
## Exploitation
- **Status:** PoC available; detailed technical research published by Kaspersky. No widespread evidence of exploitation in the wild prior to the patch disclosure.
- **Complexity:** Medium (requires deep understanding of Windows RPC internals and timing).
- **Attack Vector:** Local (the attacker must already have the ability to execute code on the target system).
## Impact
- **Confidentiality:** High (Full access to system-level data).
- **Integrity:** High (Ability to modify system files and configurations).
- **Availability:** High (Ability to crash or disable critical system services).
## Remediation
### Patches
- Microsoft addressed this vulnerability in the **August 2024 Security Updates**. Users should apply the latest cumulative updates for their specific Windows version.
### Workarounds
- There are no direct workarounds that do not interfere with core Windows functionality, as RPC is essential for the operating system. The recommended action is immediate patching.
## Detection
- **Indicators of Compromise:** Unusual named pipe creation by non-administrative processes, particularly pipes mimicking internal Windows services.
- **Detection Methods:**
- Monitor for event IDs related to service installation and named pipe creation (e.g., Sysmon Event ID 17 and 18).
- Use security tooling to audit unauthorized processes attempting to register RPC interfaces that are already reserved by the system.
## References
- **Vendor Advisory:** [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38060](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38060)
- **Technical Analysis:** [https://securelist[.]com/phantomrpc-rpc-vulnerability/119428/](https://securelist[.]com/phantomrpc-rpc-vulnerability/119428/)