Vigyata.AI
Is this your channel?

DEF CON 33 - You snooze you lose: RPC Racer winning RPC endpoints against services - Ron Ben Yizhak

654 views· 3 likes· 35:36· Oct 10, 2025

The RPC protocol allows executing functions on remote servers. An interface is identified by a UUID, and clients contact specific RPC endpoints to communicate with it. Some endpoints may be well-known to clients, but some are provided through the EPM (Endpoint Mapper). These are called Dynamic Endpoints. As servers request to map UUIDs to their Dynamic Endpoints, we wondered what stops us from mapping a UUID of a trusted RPC interface to an endpoint that we control, leading to our own malicious RPC interface. We discovered that nothing stops unprivileged users from imposing as a well-known RPC server! However, to have clients connect to us, we needed to register first. We, as the underdog racer, need to beat services in their home race track. We examined the status of RPC servers at certain points during boot and mapped several interfaces we can abuse. We then took a shot racing their services and won the gold medal! Various high integrity processes and some even PPLs trusted us to be their RPC server! In this talk, we’ll present “RPC-Racer” - a toolset for finding insecure RPC services and winning the race against them! We’ll show it manipulating a PPL process to authenticate the machine account against any server we want! Finally, we’ll describe how to validate the integrity of RPC servers, to mitigate this issue.

🎬 More from DEFCONConference