← Signals
- system-informer
- lpe
- alpc
- windows
- exploitarium
news
System Informer phsvc Trusted-Host LPE
phsvc accepts any Authenticode-trusted client image — code in rundll32 connects to SiSvcApiPort and runs elevated helper APIs.
Summary
Phsvc accepts any Authenticode-trusted client image — code in rundll32 connects to SiSvcApiPort and runs elevated helper APIs. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | System Informer canary 4.0.26162.539 |
| Primitive | Generic Authenticode trust instead of publisher-specific client validation |
| Impact | Medium user → elevated helper context arbitrary process creation when elevated instance live. |
Attack Chain
Load code in trusted signed host → ALPC to phsvc → privileged API invokes attacker command
Mitigation
Bind helper IPC to System Informer binary signature; run helper non-elevated by default.