Who's on the line? Exploiting RCE in Windows Telephony Servi...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://swarm.ptsecurity.com/whos-on-the-line-exploiting-rce-in-windows-telephony-service/
• Blog Title: Who's on the line? Exploiting RCE in Windows Telephony Service
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation (or a new page under Windows exploitation/services) focusing on: arbitrary file write primitives from named pipe/MSRPC services (mailslot path confusion) and chaining writable config authorization + privileged DLL load to RCE; alternatively Network Services Pentesting -> MSRPC/named pipes Windows service exploitation.

🎯 Content Summary

Vulnerability: CVE-2026-20931 (fixed in January 13, 2026 Patch Tuesday) in the Windows Telephony service (TapiSrv, implementation in tapisrv.dll). When Windows is configured in TAPI server mode, an authenticated remote client (connects via SMB to the tapsrv named pipe) can turn TAPI’s remote asynchronous-event “pull” model into an arbitrary controlled 4-byte (DWORD) write to a chosen pre-existing fi...

🔧 Technical Details

Unvalidated “mailslot” path → arbitrary file write: If a service treats a user-supplied string as a mailslot path and calls CreateFileW(path, GENERIC_WRITE, ..., OPEN_EXISTING) without enforcing the \\*\MAILSLOT\ namespace (or otherwise verifying it is a mailslot), an attacker can pass a normal filesystem path. If the service later writes protocol/event data to that handle, this becomes a write-where primitive into any existing file writable by the service account. If the data written is a fixed-size field (e.g., a single DWORD), any attacker-controlled protocol field mapped to that value becomes a controlled small write primitive.

Deterministic event generation to repeat small writes: When an event-driven protocol makes it hard to trigger arbitrary events, look for helper routines that always emit an event under controllable conditions (e.g., “notify highest priority recipient”). Control recipient selection by...

🤖 Agent Actions

Summary:

• Added a dedicated page on exploiting the Telephony service (tapsrv) mailslot path confusion to gain an arbitrary DWORD write and chain it to admin-only DLL loading for RCE as NETWORK SERVICE.
• Documented exploitation workflow, deterministic event generation, writable target examples, and hardening notes.
• Linked the new Telephony exploitation page from the Windows Local Privilege Escalation guide.

Files Modified/Created:

• src/windows-hardening/windows-local-privilege-escalation/telephony-tapsrv-arbitrary-dword-write-to-rce.md
• src/windows-hardening/windows-local-privilege-escalation/README.md

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://swarm.ptsecurity.com/whos-on-the-line-exploiting-rce-in-windows-telephony-service/

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (or a new page under Windows exploitation/services) focusing on: arbitrary file write primitives from named pipe/MSRPC services (mailslot path confusion) and chaining writable config authorization + privileged DLL load to RCE; alternatively Network Services Pentesting -> MSRPC/named pipes Windows service exploitation.".

Repository Maintenance:

• MD Files Formatting: 940 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge