Moderate
CVE-2022-21999
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Moderate
(1 user assessed)
High
(1 user assessed)Unknown
Unknown
Unknown
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21997, CVE-2022-22717, CVE-2022-22718.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityHigh
Technical Analysis
This is a useful vulnerability; however, an existing session on the target is required, and escalation of privileges can sometimes depend on luck. To achieve the directory creation and ultimately the file write, one first needs to reinitialize the print spooler. There exists one primitive to do this using SetPrinterDataEx() and AppVTerminator.dll as a Point and Print dll, but it’s limited to two uses because the print spooler will not automatically restart after two crashes. If the print spooler has reached its maximum number of restarts, then this exploit will only work by restarting the system completely, which is not particularly stealthy. Additionally, the previously-mentioned primitive is limited, as Windows 7 does not appear to have the AppVTerminator dll.
Assuming that the attacker has a printer handle with the PRINTER_ACCESS_ADMINISTER privilege and the ability to restart the print spooler, this vulnerability is fairly easy to exploit. Create a temp directory, set the SpoolDirectory to the temp path with the version 4 directory appended (in UNC path form), create junction between the temp path and the printer driver directory, restart spooler, write malicious dll, then load the dll.
I wouldn’t call this the first priority in the list of vulnerabilities to patch mainly due to an existing session being a requirement and success potentially depending on a reboot, but it should certainly be patched.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Vendors
- Microsoft
Products
- Windows,
- Windows Server,
- Windows 10 Version 1909 for 32-bit Systems,
- Windows 10 Version 1909 for x64-based Systems,
- Windows 10 Version 1909 for ARM64-based Systems,
- Windows 10 Version 21H1 for x64-based Systems,
- Windows 10 Version 21H1 for ARM64-based Systems,
- Windows 10 Version 21H1 for 32-bit Systems,
- Windows Server 2022,
- Windows Server 2022 (Server Core installation),
- Windows Server 2022 Azure Edition Core Hotpatch,
- Windows 10 Version 20H2 for x64-based Systems,
- Windows 10 Version 20H2 for 32-bit Systems,
- Windows 10 Version 20H2 for ARM64-based Systems,
- Windows Server, version 20H2 (Server Core Installation),
- Windows 11 for x64-based Systems,
- Windows 11 for ARM64-based Systems,
- Windows 10 Version 21H2 for 32-bit Systems,
- Windows 10 Version 21H2 for ARM64-based Systems,
- Windows 10 Version 21H2 for x64-based Systems
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
