Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

MNDT-2022-0003

Description

Mandiant discovered a vulnerability that impacts the Microsoft Windows operating system, allowing an attacker elevate privileges from a non-privileged user to SYSTEM by abusing a weakness in the Windows Print Spooler service.

Impact

Very High - An attacker can abuse this vulnerability to elevate privileges on the local system.

Exploitability

Medium - An attacker needs local access to the target system as a low-privileged user.

CVE Reference

CVE-2022-22717

Technical Details

An attacker can abuse the AddPrinter and SetPrinterDataEx Windows API calls to coerce the Spooler service into creating an arbitrary directory. The resulting directory will allow low-privileged users to create new files and folders, leading to a privilege escalation vulnerability in the Windows Error Reporting service, previously described by Jonas Lyk [3].

This vulnerability is similar to CVE-2021-38671, CVE-2021-34483, CVE-2021-26878, and the research presented by Victor Mata [2] (CVE-2020-1030).

Mitigation

This issue was fixed as part of the February 2022 security update [1].

Discovery Credits

Thibault Van Geluwe de Berlaere, Mandiant

Disclosure Timeline

  • 05/10/2021: Vulnerability submitted to MSRC and case opened
  • 19/10/2021: Issue confirmed by Microsoft
  • 08/02/2022: Patch released and CVE assigned

References

  1. Microsoft Advisory: CVE-2022-22717
  2. Discovering, exploiting and shutting down a dangerous Windows print spooler vulnerability
  3. From directory deletion to SYSTEM shell
  4. Mitre CVE-2022-22717