In 2022, Microsoft patched several vulnerabilities in the Windows Print Spooler service, which has long been a favorite target for hackers. One of these, CVE-2022-30138, is an important privilege escalation bug that allows local attackers to gain higher privileges on a Windows system. This post walks you through how CVE-2022-30138 works, how to exploit it, and how you can protect your systems.
What Is CVE-2022-30138?
CVE-2022-30138 is an Elevation of Privilege (EoP) vulnerability in the Windows Print Spooler. It allows a local attacker to execute code with SYSTEM-level privileges—basically, the most powerful account on Windows. Unlike some other Print Spooler bugs, this one doesn't allow remote code execution, but it's very useful for attackers who already have a foothold in the system.
IMPORTANT NOTE:
This CVE is separate from CVE-2022-29104 and CVE-2022-29132, which also affect the Windows Print Spooler, but are distinct issues.
How Does It Work?
The Windows Print Spooler is a service responsible for managing all print jobs sent to the printer or print server. It runs with SYSTEM privileges by default.
In CVE-2022-30138, a weakness in how the Print Spooler service handles objects and permissions can allow a low-privileged user to execute code with SYSTEM privileges by abusing certain Print Spooler operations.
Technical Details
While Microsoft hasn't published full technical details or a public proof-of-concept, security researchers have analyzed related vulnerabilities enough to show a likely attack path.
Abuse Print Spooler APIs
A standard user interacts with the Print Spooler over named pipes or Windows API.
Trick the Service Into Loading a Malicious File
The attacker uses the Print Spooler to tell the system to load a DLL or script they control, changing the job configuration in the process.
Gain SYSTEM Privileges
Since the Spooler executes certain commands as SYSTEM, the malicious payload runs with full privileges.
Example Attack Steps (Pseudocode)
While a full working exploit is not public, here's a conceptual example in PowerShell-like pseudocode to give you a picture of the logic:
# Step 1: Create a malicious DLL that gives a shell or adds a user
Write-Host "Creating Malicious DLL"
# Step 2: Copy the DLL to a location accessible by the Print Spooler (e.g., C:\Windows\System32\spool\drivers\x64\3\)
Copy-Item "C:\temp\evil.dll" "C:\Windows\System32\spool\drivers\x64\3\evil.dll"
# Step 3: Use AddPrinterDriverEx API or RPC to get Print Spooler to load the DLL
# Requires a tool or script that can talk to the Print Spooler (e.g., via RPC)
Invoke-PrintSpoolerExploit -DriverName "evil" -DllPath "C:\Windows\System32\spool\drivers\x64\3\evil.dll"
Note: This is just a simplified demonstration. Actual attacks would be more complex.
Proof-of-Concept & Resource Links
No official or full public proof-of-concept has been shared by Microsoft or major security researchers at the time of this writing, due to the sensitivity and impact of the bug. However, you can find technical writeups and similar logic in the following links:
- Microsoft Advisory for CVE-2022-30138
- Windows Print Spooler Vulnerabilities Overview
- CERT/CC Vulnerability Note VU#383432
- Timeline and Discussion (Twitter)
- PrintNightmare Sample Exploits (for reference)
How to Protect Your Systems
1. Patch Immediately
Microsoft released a fix in the June 2022 Patch Tuesday updates. Install all available Windows updates.
2. Stop and Disable Print Spooler If Not Needed
If you don’t need printing on a server or a sensitive device, disable the Print Spooler service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
3. Limit User Permissions
Restrict who can add or manage printers on your devices.
4. Monitor for Anomalies
Use endpoint detection tools to monitor for suspicious Print Spooler activity, new DLL files in spool directories, or escalated user privileges.
Key Takeaways
- CVE-2022-30138 is a high-priority Windows bug that lets local users become SYSTEM via Print Spooler manipulation.
- It is different from similar bugs (such as PrintNightmare: CVE-2021-1675, CVE-2021-34527, and others) and from CVE-2022-29104, CVE-2022-29132.
- This vulnerability reinforces the need to patch Windows systems regularly and restrict access to crucial services like Print Spooler.
Timeline
Published on: 05/18/2022 23:15:00 UTC
Last modified on: 05/31/2022 13:43:00 UTC