CVE-2009-0079
published 2009-04-15CVE-2009-0079: The RPCSS service in Microsoft Windows XP SP2 and SP3 and Server 2003 SP1 and SP2 does not properly implement isolation among a set of distinct processes that…
PriorityP178medium6.9CVSS 2.0
AVLACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.06%
89.4th percentile
The RPCSS service in Microsoft Windows XP SP2 and SP3 and Server 2003 SP1 and SP2 does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by accessing the resources of one of the processes, aka "Windows RPCSS Service Isolation Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for local privilege escalation attempts targeting the RPCSS service (rpcss.dll / svchost.exe hosting RPCSS) where a process running under NetworkService or LocalService account attempts to access resources belonging to another process sharing the same account, potentially escalating to LocalSystem. ↗
- →Alert on unexpected privilege escalation to LocalSystem originating from processes running under NetworkService or LocalService accounts, particularly those interacting with RPCSS. ↗
- ·Vulnerability is limited to Windows XP SP2/SP3 and Windows Server 2003 SP1/SP2; later OS versions are not affected. ↗
- ·This is a local privilege escalation only; an attacker must already have local access to the system to exploit the RPCSS service isolation weakness. ↗
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xgcq-fj5h-634c: The RPCSS service in Microsoft Windows XP SP2 and SP3 and Server 2003 SP1 and SP2 does not properly implement isolation among a set of distinct proces
ghsa_unreviewed·2022-05-02
CVE-2009-0079 [MEDIUM] GHSA-xgcq-fj5h-634c: The RPCSS service in Microsoft Windows XP SP2 and SP3 and Server 2003 SP1 and SP2 does not properly implement isolation among a set of distinct proces
The RPCSS service in Microsoft Windows XP SP2 and SP3 and Server 2003 SP1 and SP2 does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by accessing the resources of one of the processes, aka "Windows RPCSS Service Isolation Vulnerability."
VulnCheck
Windows RPCSS Service Isolation Vulnerability
vulncheck·2009·CVSS 6.9
CVE-2009-0079 [MEDIUM] Windows RPCSS Service Isolation Vulnerability
Windows RPCSS Service Isolation Vulnerability
The RPCSS service in Microsoft Windows XP SP2 and SP3 and Server 2003 SP1 and SP2 does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by accessing the resources of one of the processes, aka "Windows RPCSS Service Isolation Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-012
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/53667http://www.securitytracker.com/id?1022044http://www.us-cert.gov/cas/techalerts/TA09-104A.htmlhttp://www.vupen.com/english/advisories/2009/1026https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6147http://osvdb.org/53667http://www.securitytracker.com/id?1022044http://www.us-cert.gov/cas/techalerts/TA09-104A.htmlhttp://www.vupen.com/english/advisories/2009/1026https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6147
2009-04-15
Published
Exploited in the wild