Coursera Spring Sale
40% Off Coursera Plus Annual!
Grab it
Explore a critical Windows security vulnerability in this DEF CON 33 conference talk that demonstrates how unprivileged users can impersonate trusted RPC servers. Learn about the Remote Procedure Call (RPC) protocol fundamentals, including how interfaces are identified by UUIDs and how clients communicate with specific RPC endpoints through both well-known endpoints and dynamic endpoints provided by the Endpoint Mapper (EPM). Discover the shocking revelation that nothing prevents unprivileged users from mapping UUIDs of trusted RPC interfaces to malicious endpoints they control, effectively allowing them to pose as legitimate RPC servers. Understand the race condition exploitation technique where attackers must register their malicious endpoints before legitimate services during system boot to intercept client connections. Examine the systematic analysis of RPC server status at various boot stages and learn how to identify vulnerable interfaces that can be abused. Witness live demonstrations of the "RPC-Racer" toolset, which automates the discovery of insecure RPC services and executes successful race attacks against them. See how this technique can manipulate high-integrity processes and even Protected Process Light (PPL) processes to authenticate machine accounts against attacker-controlled servers. Gain insights into the broader security implications of this vulnerability and learn practical mitigation strategies for validating RPC server integrity to defend against these sophisticated attacks.
