Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2022-21906

Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated

Description

Windows Defender Application Control Security Feature Bypass Vulnerability.

Add Assessment

1
Ratings
Technical Analysis

CVE-2022-21906

Microsoft

Vendor

Description

Windows Defender Application Control Security Feature Bypass Vulnerability.
The attacker can execute extremely dangerous apps by using different scenarios,
directly from the user profile, without any reaction from the side of the Windows Defender.
Read more: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21906

The latest version of Windows 10 Pro, plus the latest update!

Reproduce:

href

Proof and Exploit

href

BugCheck after the exploit, the reaction of the kernel:

  • BSOD.exe
1: kd> !analyze
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (c0000022)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc0000022 - {Access Denied}  A process has requested access to an object, but has not been granted those access rights.

BUGCHECK_CODE:  c0000022

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  BSOD.exe

SYMBOL_NAME:  nt!PopTransitionSystemPowerStateEx+1217

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

FAILURE_BUCKET_ID:  STATUS_ACCESS_DENIED_nt!PopTransitionSystemPowerStateEx

FAILURE_ID_HASH:  {7fcb0a96-b639-2e09-82d6-2eef48bdcdea}

Followup:     MachineOwner
---------
  • malicious.exe
0: kd> !analyze
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (c0000022)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc0000022 - {Access Denied}  A process has requested access to an object, but has not been granted those access rights.

BUGCHECK_CODE:  c0000022

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  malicious.exe

SYMBOL_NAME:  nt!PopTransitionSystemPowerStateEx+1217

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

FAILURE_BUCKET_ID:  STATUS_ACCESS_DENIED_nt!PopTransitionSystemPowerStateEx

FAILURE_ID_HASH:  {7fcb0a96-b639-2e09-82d6-2eef48bdcdea}

Followup:     MachineOwner
---------

BR

.\nu11secur1ty

General Information

Vendors

  • Microsoft

Products

  • Windows,
  • Windows Server,
  • Windows 10 Version 1909 for 32-bit Systems,
  • Windows 10 Version 1909 for x64-based Systems,
  • Windows 10 Version 1909 for ARM64-based Systems,
  • Windows 10 Version 21H1 for x64-based Systems,
  • Windows 10 Version 21H1 for ARM64-based Systems,
  • Windows 10 Version 21H1 for 32-bit Systems,
  • Windows Server 2022,
  • Windows Server 2022 (Server Core installation),
  • Windows 10 Version 20H2 for x64-based Systems,
  • Windows 10 Version 20H2 for 32-bit Systems,
  • Windows 10 Version 20H2 for ARM64-based Systems,
  • Windows Server, version 20H2 (Server Core Installation),
  • Windows 11 for x64-based Systems,
  • Windows 11 for ARM64-based Systems,
  • Windows 10 Version 21H2 for 32-bit Systems,
  • Windows 10 Version 21H2 for ARM64-based Systems,
  • Windows 10 Version 21H2 for x64-based Systems

Additional Info

Technical Analysis