From ce235409e1cacc62ff77999a40dcdee5dc7a2ec1 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 20 Jan 2026 12:53:06 +0000 Subject: [PATCH] Add content from: Hello, how is it with RCE? Analyzing a vulnerability in the ... --- .../135-pentesting-msrpc.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/network-services-pentesting/135-pentesting-msrpc.md b/src/network-services-pentesting/135-pentesting-msrpc.md index e754f591f4a..949246f15da 100644 --- a/src/network-services-pentesting/135-pentesting-msrpc.md +++ b/src/network-services-pentesting/135-pentesting-msrpc.md @@ -224,6 +224,19 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel > ⚠️ Many RPC services execute in processes running as **NT AUTHORITY\SYSTEM**. Any memory-safety issue here usually translates to local privilege escalation or (when exposed over SMB/135) *remote code execution*. +## TapiSrv/MS-TRP tapsrv named pipe: mailslot path confusion -> arbitrary file write -> LoadLibrary RCE (CVE-2026-20931) + +- **Exposure**: TapiSrv exposes the RPC interface `tapsrv` (MS-TRP) on the SMB named pipe `\\pipe\\tapsrv` when Telephony "server mode" is enabled (`DisableSharing=0` or via `TapiMgmt.msc`). Authenticated domain users can attach remotely; the service runs as **NETWORK SERVICE**. +- **Bug (pull-mode mailslot path confusion)**: `ClientAttach` accepts attacker-controlled `pszDomainUser` and passes it directly to `CreateFileW(..., GENERIC_WRITE, OPEN_EXISTING, ...)` to open the "mailslot" used for async notifications. No `\\*\\MAILSLOT\\` validation → any existing file writable by NETWORK SERVICE can be opened and written. +- **Write primitive**: + - Written data = 4-byte `InitContext` provided by the client in `Initialize` (Req_Func 47). + - Writes occur when TapiSrv emits async events. Make your app the *highest priority request recipient* using `LRegisterRequestRecipient` (Req_Func 61, `LINEREQUESTMODE_MAKECALL`, `pszModuleName=DIALER.EXE` to win the per-user priority list), then trigger a notification with `TRequestMakeCall` (Req_Func 121). Drain with `GetAsyncEvents` (Req_Func 0) if needed. + - Per-chunk loop (4 bytes at a time): `Initialize` (InitContext=desired 4 bytes, `pszModuleName=DIALER.EXE`) → `LRegisterRequestRecipient` (enable) → `TRequestMakeCall` → `GetAsyncEvents` → `LRegisterRequestRecipient` (disable) → `Shutdown` (Req_Func 86). Repeat until the payload is written. +- **Privilege pivot inside TapiSrv**: Overwrite `C:\Windows\TAPI\tsec.ini` (writable by NETWORK SERVICE in server mode) to add `[TapiAdministrators]\r\nDOMAIN\\attacker=1`. Reconnect with `ClientAttach`; the INI is parsed via `GetPrivateProfileIntW` and sets the admin flag (`dwFlags |= 9`). +- **Code execution**: As a telephony admin, send `GetUIDllName` to install a TSP/UI DLL by absolute path. TapiSrv calls `LoadLibrary` on the supplied path and executes `TSPI_providerUIIdentify`. Returning a non-zero value is echoed back to the caller and unloads the DLL. + - If UNC loading fails (e.g., `ERROR_SMB_GUEST_LOGON_BLOCKED`), write the DLL via the 4-byte primitive over an existing writable file such as `C:\Windows\System32\catroot2\dberr.txt` or `C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun.log`, then load it. +- **Outcome**: Remote RCE as NETWORK SERVICE on hosts with Telephony server mode enabled; further elevation (e.g., SeImpersonate abuse) is out of scope of this chain. + ## References - [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/) @@ -233,6 +246,8 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel - [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/) - [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/) - [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer) +- [MS-TRP (Telephony RPC) specification](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-trp/b42a983f-601c-4afc-b4a7-a08c3f79cbc7) +- [Hello, how is it with RCE? Analyzing a vulnerability in the Windows Telephony service (CVE-2026-20931)](https://habr.com/ru/companies/pt/articles/984934/) {{#include ../banners/hacktricks-training.md}}