Microsoft Won't Patch PhantomRPC - Feature or Bug?
Microsoft Won’t Patch PhantomRPC - Feature or Bug? 🚨
A researcher has discovered a weakness called PhantomRPC that Microsoft does not consider a vulnerability it plans to patch. PhantomRPC involves Windows Remote Procedure Call (RPC), the core of communication between Windows processes. The vulnerability allows a process with impersonation rights to escalate to SYSTEM by impersonating high-privileged clients that connect to a fake RPC server.
The researcher warned that potential vectors are “effectively unlimited” because the root issue is architectural. Microsoft, however, classified the issue as “moderate,” refused a bounty, declined to assign a CVE, and closed the case without tracking. Its position is that the technique requires an already-compromised machine and does not provide unauthenticated or remote access.
Experts disagreed with Microsoft’s assessment, expressing concern that Microsoft is downplaying a systemic local privilege escalation technique that exists in all supported Windows versions. At the core of this issue is that the Windows RPC runtime does not sufficiently verify that the server a high-privileged client connects to is the intended legitimate endpoint. If a legitimate RPC server is not reachable, an attacker with SeImpersonatePrivilege can spin up a fake RPC server that “fills the gap” using the same interface and endpoint. When a SYSTEM or high-privileged client connects to this fake server, the attacker can call RpcImpersonateClient and immediately escalate their privileges to SYSTEM.
From Microsoft’s perspective, the ability to run a rogue RPC server in this way falls under the category of “already compromised.” A Microsoft spokesperson stated: “This technique requires an already-compromised machine and does not grant unauthenticated or remote access. We recommend customers follow security best practices, including limiting administrative privileges and applying the principle of least privilege.”
Mitigating PhantomRPC properly would require deep changes to the RPC architecture, which is hard to do on existing Windows versions without breaking compatibility. Here are some recommendations:
- Keep Windows updated regularly.
- Use your admin account sparingly and only for tasks that require such privileges.
- Utilize an up-to-date, real-time anti-malware solution that can detect and block suspicious privilege-escalation activity.
- Avoid disabling or “hardening” services blindly, as a malicious service might step in their place.
To answer the question in the title: it looks like a feature that can be abused in many ways; one that has outlived its original threat model. Defenders must treat them as ongoing risks, rather than one-off CVEs.