Remote procedure calls (RPCs) are a key component in network protocols. In Windows, RPCs are used by programs to communicate with other programs on the same computer or with programs on remote computers. When an RPC is initiated by one program and answered by another program, the transferring of data is called an RPC.

In Windows, the most common RPC is LogonRPC, which is used to authenticate users against a remote server. When a user tries to access a remote server, LogonRPC sends a request to a remote server to check if the user’s user credentials (i.e. password) are valid. If the user’s credentials are valid, the remote server will send back a response to the client computer to grant the user access. If the user’s credentials are invalid, the remote server will send back a response to the client computer to deny access.
In Windows, there is a weakness in the LogonRPC RPC call when a user has administrator rights. Due to this weakness, a user (with admin rights) can exploit this to gain administrator rights. The following is a high-level explanation of the vulnerability: Attackers can exploit this vulnerability by injecting malicious code into a website that an unsuspecting user visits. The injected malicious code will then make a request to logon to the user’s local logon account. If the user’s credentials are valid (i.e. have admin rights

Vulnerable Stages

The vulnerability exists in the following stages:
Stage 1: The LogonRPC RPC call is vulnerable.
Stage 2: The LogonRPC RPC call is answered by the local logon service. Since this service is a domain member, it can be manipulated and exploited.
Stage 3: The local logon service sends back a response to the client computer, granting the user access. This response will grant administrative privileges to the user if they are authenticated correctly.

Description of the vulnerability##

LogonRPC can be exploited by a user with admin rights. This vulnerability exists because of the server’s response when an attacker sends a LogonRPC request, which is to say that the server will only return an error if the user has admin rights. If a user with admin rights tries to logon as another user, then it will return back success.


Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/10/2022 00:33:00 UTC