Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 2 p.m.
(45 minutes).
The RPC protocol allows executing functions on remote servers. An interface is identified by a UUID, and clients contact specific RPC endpoints to communicate with it. Some endpoints may be well-known to clients, but some are provided through the EPM (Endpoint Mapper). These are called Dynamic Endpoints.
As servers request to map UUIDs to their Dynamic Endpoints, we wondered what stops us from mapping a UUID of a trusted RPC interface to an endpoint that we control, leading to our own malicious RPC interface.
We discovered that nothing stops unprivileged users from imposing as a well-known RPC server! However, to have clients connect to us, we needed to register first. We, as the underdog racer, need to beat services in their home race track.
We examined the status of RPC servers at certain points during boot and mapped several interfaces we can abuse. We then took a shot racing their services and won the gold medal! Various high integrity processes and some even PPLs trusted us to be their RPC server!
In this talk, we’ll present “RPC-Racer” - a toolset for finding insecure RPC services and winning the race against them! We’ll show it manipulating a PPL process to authenticate the machine account against any server we want! Finally, we’ll describe how to validate the integrity of RPC servers, to mitigate this issue.
References:
- [link](https://github.com/xpn/RpcEnum)
- [link](https://github.com/silverf0x/RpcView)
- [link](https://github.com/fortra/impacket/blob/master/examples/rpcdump.py)
- [link](https://learn.microsoft.com/en-us/windows/win32/rpc/specifying-endpoints)
Presenters:
-
Ron Ben Yizhak
Ron (@RonB_Y) is a security researcher at SafeBreach with 10 years of experience. He works in vulnerability research and has knowledge in forensic investigations, malware analysis and reverse engineering. Ron previously worked in the development of security products and spoke several times at DEFCON
Similar Presentations: