Hello, how is it with RCE? Analyzing a vulnerability in the ... #1786
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://habr.com/ru/companies/pt/articles/984934/ Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (or Network Services Pentesting -> MSRPC/SMB named pipes) with a new page about 'TapiSrv/MS-TRP (tapsrv) arbitrary file write via mailslot path confusion -> tsec.ini overwrite -> LoadLibrary RCE (CVE-2026-20931)'". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Post topic
The post analyzes CVE-2026-20931, a remote code execution vulnerability in the Windows Server Telephony service TapiSrv (implementation in
tapisrv.dll), which runs asNETWORK SERVICE. Exploitation is possible only when Telephony is configured in “server mode” (remote clients allowed).1) How Windows Telephony works (TAPI → TapiSrv → TSP)
Windows exposes telephony features via <a href="https://learn.mi...
🔧 Technical Details
Arbitrary file write via MS-TRP pull-mode mailslot confusion: If a service opens “mailslots” using file APIs, and it accepts a client-supplied mailslot path that is not validated (no enforcement of
\\*\MAILSLOT\semantics), an attacker can supply an arbitrary filesystem path. If the service callsCreateFileW(path, GENERIC_WRITE, ..., OPEN_EXISTING), it will open an existing file for writing and later write event/notification bytes into it. When the written notification value is derived from attacker-controlled request fields (here: a 4-byteInitContext), the attacker can repeatedly trigger events to write chosen 4-byte chunks to a chosen target file (subject to the service account’s write permissions).Deterministic event triggering to drive writes: When event delivery is the only mechanism that causes writes, find an API/RPC handler that reliably generates events without requiring complex state (here: a “notify highest prio...
🤖 Agent Actions
Updated network-services-pentesting/135-pentesting-msrpc.md with a new section detailing the TapiSrv/MS-TRP tapsrv named-pipe vulnerability chain (CVE-2026-20931): remote exposure prerequisites, mailslot path confusion → 4-byte arbitrary file overwrite via InitContext, deterministic write trigger using request-recipient priority, tsec.ini overwrite to gain telephony-admin flags, and LoadLibrary-based RCE via GetUIDllName (with local DLL drop fallbacks). Added references for MS-TRP spec and the blog source.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.