OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • system-informer
  • lpe
  • alpc
  • windows
  • exploitarium

news

System Informer phsvc Trusted-Host LPE

phsvc accepts any Authenticode-trusted client image — code in rundll32 connects to SiSvcApiPort and runs elevated helper APIs.

Summary

Phsvc accepts any Authenticode-trusted client image — code in rundll32 connects to SiSvcApiPort and runs elevated helper APIs. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetSystem Informer canary 4.0.26162.539
PrimitiveGeneric Authenticode trust instead of publisher-specific client validation
ImpactMedium user → elevated helper context arbitrary process creation when elevated instance live.

Attack Chain

Load code in trusted signed host → ALPC to phsvc → privileged API invokes attacker command

Mitigation

Bind helper IPC to System Informer binary signature; run helper non-elevated by default.

Related Signals

Sources

→ Source