Windows RPC Spoofing Flaw Allows Attackers to Hijack Secure Services


Hidden Weakness Exposes Trusted Connections to Poisoning

At DEF CON 33, security researcher Ron Ben Yizhak from SafeBreach detailed a vulnerability in Windows’ Remote Procedure Call (RPC) Endpoint Mapper (EPM) that can be exploited for interface spoofing. This flaw enables a local attacker to misdirect privileged service requests to endpoints under their control, potentially resulting in credential theft and elevated privileges.

The issue lies in how the EPM registers and resolves UUID-to-endpoint mappings, with no robust mechanism to ensure authenticity. 

 

As Ben Yizhak explained, "clients to connect to an unknown process that wasn't even running with admin privileges."


A Broken Chain of Trust within RPC Resolution

The EPM behaves like a directory for RPC services, mapping unique identifiers to active endpoints. The vulnerability allows a malicious process to register its interface before the legitimate service starts, effectively impersonating it. This breaks the trust model intended to protect inter-process communication.


When Services Start Matters Most


Delayed Loads Create Hijacking Windows

Certain Windows services are set to “delayed start,” meaning they only register with the EPM some time after boot. This gives attackers a critical opportunity to insert their spoofed registrations first, ensuring that subsequent RPC calls are routed to their malicious endpoint instead of the real one.


Attack Chain: RPC Hijack to NTLM Relay and Beyond

SafeBreach demonstrated how this weakness can be leveraged through its proof-of-concept tool, RPC-Racer. By hijacking specific interfaces such as the Storage Service or Delivery Optimization, attackers can trigger authentication attempts from system processes, capturing NTLM hashes.

The research showed how this could be chained into an NTLM relay attack, potentially compromising high-value resources such as Active Directory Certificate Services and achieving full domain compromise.


Strengthening RPC Trust: Recommendations for Defenders


Build EPM Defenses Like Pinning Up Secure Channels


Ben Yizhak stressed the design flaw at the core of the issue: "The current design of the endpoint mapper (EPM) doesn't perform this verification. Without this verification, clients will accept data from unknown sources."


Defensive measures include:

- Enforcing strict validation for RPC endpoint registration
- Monitoring RpcEpRegister calls for anomalies
- Using ETW-based logging to detect unusual service-to-endpoint mappings