Redazione RHC : 21 September 2025 20:57
SafeBreach experts have disclosed details of a vulnerability in the Windows Remote Procedure Call (RPC) protocol, patched by Microsoft in the July 2025 update. The flaw, CVE-2025-49760, allowed an attacker to conduct spoofing attacks and impersonate a legitimate server using the Windows storage mechanism. Ron Ben Yizak discussed the discovery at the DEF CON 33 conference.
The RPC protocol relies on unique interface identifiers (UUIDs) and the Endpoint Mapper (EPM) service, which maps client requests to the dynamic endpoints of registered servers. The vulnerability opened the way to a so-called EPM poisoning attack , in which an unprivileged user could register an interface to the embedded service and force the protected process to authenticate to an arbitrary server. Similar to DNS spoofing, the attack changes the mapping of UUIDs to endpoints, redirecting the client to a fake source.
The problem is compounded by the fact that EPM does not verify the authenticity of the interface registrar. This allowed an interface belonging to a delayed or manual-started service to be captured before the actual process registered it. This allowed an attacker to hijack the connection without administrator rights.
SafeBreach created a tool called RPC-Racer that could detect insecure RPC services like Storage Service (StorSvc.dll) and redirect requests from a secure PPL process like Delivery Optimization (DoSvc.dll) to an attacker-controlled SMB server. This would cause the process to authenticate with the computer account by passing an NTLM hash, which could then be used in an ESC8 attack to elevate privileges via Active Directory Certificate Services (ADCS). Using tools like Certipy, they were able to obtain the Kerberos TGT and access all the domain controller’s secrets .
The entire attack cycle included creating a task to run at user login, registering the storage service interface , triggering a Delivery Optimization call to a fictitious server, sending an SMB link to a malicious resource, and extracting the NTLM hash. The NTLM data was then used to obtain a certificate and assign domain-level rights.
In addition to direct escalation, EPM poisoning can be used for Man-in-the-Middle (MitM) attacks, redirecting requests to the original service, or for denial of service attacks, registering multiple interfaces and blocking requests. SafeBreach points out that other clients on the system may be vulnerable to this hijacking.
To detect such attacks, it’s recommended to monitor RpcEpRegister calls and use Event Tracing for Windows (ETW) to capture events generated by applications and drivers. According to the researchers, similar to how SSL pinning verifies a specific key, the EPM must verify the identity of the RPC server, otherwise clients will trust unverified sources.
Redazione