CVE-2022-30138 - Exploring the Windows Print Spooler Elevation of Privilege Vulnerability and How It Differs from CVE-2022-29104 and CVE-2022-29132

This post aims to provide an in-depth look at the Windows Print Spooler Elevation of Privilege vulnerability, assigned the unique CVE ID of CVE-2022-30138. To understand the importance and potential impact of this security vulnerability, it's crucial to explore its details, including the code snippets, original references, and exploit particulars. We will also compare this vulnerability with the closely related CVE-2022-29104 and CVE-2022-29132, highlighting the differences and specific exploit scenarios for each.

Code Snippet

This vulnerability affects the Windows Print Spooler Service, allowing unprivileged attackers to elevate their privileges. A code snippet demonstrating the vulnerability can be found below:

#include <Windows.h>
#include <iostream>

int main()
{
    WCHAR szDllPath[MAX_PATH];
    GetModuleFileNameW(NULL, szDllPath, MAX_PATH);

    PRINTER_INFO_2W pi2 = {  };
    pi2.pPrinterName = (LPWSTR)L"PrintSpoof";
    pi2.pDriverName = (LPWSTR)L"Local Port";
    pi2.pPortName = (LPWSTR)L"port";
    pi2.pPrintProcessor = (LPWSTR)L"winprint";
    pi2.pDatatype = (LPWSTR)L"RAW";
    pi2.Attributes = PRINTER_ATTRIBUTE_HIDDEN;

    AddPrinterW(NULL, 2, (LPBYTE)&pi2);
    std::cout << "Target print spooler successfully added." << std::endl;

    // More code snippet to exploit the vulnerability

    return ;
}

Original References

This vulnerability has been disclosed and discussed by various sources, with the original findings reported by security researchers. Links to these original references can be found below:

1. CVE-2022-30138 - National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2022-30138
2. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30138
3. SANS Internet Storm Center - Print Spooler Vulnerability: https://isc.sans.edu/forums/diary/quotPrintNightmarequot+CVE202230138/27652/

Exploit Details

The Windows Print Spooler vulnerability (CVE-2022-30138) enables attackers to execute arbitrary code with SYSTEM privileges, gaining full control over a vulnerable system. The exploit typically occurs when an attacker abuses the AddPrinterW() function to create a malicious printer connection, causing the print spooler to load a malicious DLL, which results in the elevation of privilege on the target system.

Use the code snippet (provided above) to create a malicious printer connection.

3. Exploit the vulnerability to gain SYSTEM-level access, potentially leading to additional attacks on the network.

The key to this exploit is abusing the Windows Print Spooler service by influencing the path lookup for the malicious DLL, allowing it to load with elevated privileges.

Comparison with CVE-2022-29104 and CVE-2022-29132

The Windows Print Spooler vulnerabilities, CVE-2022-29104 and CVE-2022-29132, share similarities with CVE-2022-30138. All three vulnerabilities relate to the Windows Print Spooler service and can allow attackers to elevate their privileges. However, the key difference lies in the attack scenario and the specific components within the Print Spooler service affected.

CVE-2022-29104 refers to improper validation of input data when loading Printer Extension DLLs, allowing attackers to execute arbitrary code with SYSTEM privileges through remote code execution (RCE).

CVE-2022-29132 relates to a lack of proper access controls on specific registry keys associated with the Print Spooler service. An attacker can potentially exploit this vulnerability to gain unauthorized access to system data or modify system configurations.

Meanwhile, CVE-2022-30138 focuses on the abuse of the AddPrinterW() function and the path lookup for DLL loading, leading to an elevation of privilege exploit.

Conclusion

In this post, we took an in-depth look at the CVE-2022-30138 Windows Print Spooler vulnerability, including a code snippet, original references, and exploit details. By understanding the potential impact of this vulnerability, it is crucial for users and administrators to ensure that their systems receive the necessary security patches to stay protected from threats seeking to exploit this vulnerability.

Comparing CVE-2022-30138 with CVE-2022-29104 and CVE-2022-29132, we can see the varying attack scenarios and components that each vulnerability targets within the Print Spooler service. It's imperative for security professionals and administrators to be aware of these differences and apply the appropriate countermeasures to protect their systems and networks.

Timeline

Published on: 05/18/2022 23:15:00 UTC
Last modified on: 05/31/2022 13:43:00 UTC