The RPC protocol allows executing functions on remote servers. An interface is identified by a UUID, and clients contact specific RPC endpoints to communicate with it. Some endpoints may be well-known to clients, but some are provided through the EPM (Endpoint Mapper). These are called Dynamic Endpoints. As servers request to map UUIDs to their Dynamic Endpoints, we wondered what stops us from mapping a UUID of a trusted RPC interface to an endpoint that we control, leading to our own malicious RPC interface. We discovered that nothing stops unprivileged users from imposing as a well-known RPC server! However, to have clients connect to us, we needed to register first. We, as the underdog racer, need to beat services in their home race track. We examined the status of RPC servers at certain points during boot and mapped several interfaces we can abuse. We then took a shot racing their services and won the gold medal! Various high integrity processes and some even PPLs trusted us to be their RPC server! In this talk, we’ll present “RPC-Racer” - a toolset for finding insecure RPC services and winning the race against them! We’ll show it manipulating a PPL process to authenticate the machine account against any server we want! Finally, we’ll describe how to validate the integrity of RPC servers, to mitigate this issue.

DEF CON 34 - DEF CON Policy Announcement - Katie Noble, Heather West
5.4K views

DEF CON 33 - DisguiseDelimit: Exploiting Synology NAS with Delimiters and Novel Tricks - Ryan Emmon
11.1K views

DEF CON 33 - Browser Extension Clickjacking: One Click and Your Credit Card Is Stolen - Marek Tóth
8.5K views

DEF CON 33 - Can't Stop the ROP: Automating Universal ASLR Bypasses - Bramwell Brizendine
3.6K views

DEF CON 33 Recon Village - Building Local Knowledge Graphs for OSINT - Donald Pellegrino
5.4K views

DEF CON 33 Recon Village - Mapping the Shadow War From Estonia to Ukraine - Evgueni Erchov
6.4K views