Hello, how is it with RCE? Analyzing a vulnerability in the ...

src/network-services-pentesting/135-pentesting-msrpc.md

@@ -224,6 +224,19 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel
 > ⚠️  Many RPC services execute in processes running as **NT AUTHORITY\SYSTEM**.  Any memory-safety issue here usually translates to local privilege escalation or (when exposed over SMB/135) *remote code execution*.
 
 
+## TapiSrv/MS-TRP tapsrv named pipe: mailslot path confusion -> arbitrary file write -> LoadLibrary RCE (CVE-2026-20931)
+
+- **Exposure**: TapiSrv exposes the RPC interface `tapsrv` (MS-TRP) on the SMB named pipe `\\pipe\\tapsrv` when Telephony "server mode" is enabled (`DisableSharing=0` or via `TapiMgmt.msc`). Authenticated domain users can attach remotely; the service runs as **NETWORK SERVICE**.
+- **Bug (pull-mode mailslot path confusion)**: `ClientAttach` accepts attacker-controlled `pszDomainUser` and passes it directly to `CreateFileW(..., GENERIC_WRITE, OPEN_EXISTING, ...)` to open the "mailslot" used for async notifications. No `\\*\\MAILSLOT\\` validation → any existing file writable by NETWORK SERVICE can be opened and written.
+- **Write primitive**:
+  - Written data = 4-byte `InitContext` provided by the client in `Initialize` (Req_Func 47).
+  - Writes occur when TapiSrv emits async events. Make your app the *highest priority request recipient* using `LRegisterRequestRecipient` (Req_Func 61, `LINEREQUESTMODE_MAKECALL`, `pszModuleName=DIALER.EXE` to win the per-user priority list), then trigger a notification with `TRequestMakeCall` (Req_Func 121). Drain with `GetAsyncEvents` (Req_Func 0) if needed.
+  - Per-chunk loop (4 bytes at a time): `Initialize` (InitContext=desired 4 bytes, `pszModuleName=DIALER.EXE`) → `LRegisterRequestRecipient` (enable) → `TRequestMakeCall` → `GetAsyncEvents` → `LRegisterRequestRecipient` (disable) → `Shutdown` (Req_Func 86). Repeat until the payload is written.
+- **Privilege pivot inside TapiSrv**: Overwrite `C:\Windows\TAPI\tsec.ini` (writable by NETWORK SERVICE in server mode) to add `[TapiAdministrators]\r\nDOMAIN\\attacker=1`. Reconnect with `ClientAttach`; the INI is parsed via `GetPrivateProfileIntW` and sets the admin flag (`dwFlags |= 9`).
+- **Code execution**: As a telephony admin, send `GetUIDllName` to install a TSP/UI DLL by absolute path. TapiSrv calls `LoadLibrary` on the supplied path and executes `TSPI_providerUIIdentify`. Returning a non-zero value is echoed back to the caller and unloads the DLL.
+  - If UNC loading fails (e.g., `ERROR_SMB_GUEST_LOGON_BLOCKED`), write the DLL via the 4-byte primitive over an existing writable file such as `C:\Windows\System32\catroot2\dberr.txt` or `C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun.log`, then load it.
+- **Outcome**: Remote RCE as NETWORK SERVICE on hosts with Telephony server mode enabled; further elevation (e.g., SeImpersonate abuse) is out of scope of this chain.
+
 ## References
 
 - [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/)
@@ -233,6 +246,8 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel
 - [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/)
 - [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/)
 - [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer)
+- [MS-TRP (Telephony RPC) specification](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-trp/b42a983f-601c-4afc-b4a7-a08c3f79cbc7)
+- [Hello, how is it with RCE? Analyzing a vulnerability in the Windows Telephony service (CVE-2026-20931)](https://habr.com/ru/companies/pt/articles/984934/)
 
 {{#include ../banners/hacktricks-training.md}}