CVE-2022-36377 - Escalating Privileges in Intel NUC Kit Wireless Adapter Drivers with Incorrect Default Installer Permissions

In the world of cybersecurity, seemingly small issues like incorrect file permissions can open the door to serious threats. CVE-2022-36377 is one such example. This vulnerability affected Intel® NUC Kit Wireless Adapter drivers for Windows 10, version 22.40 and earlier, where incorrect permissions assigned by the installer could let local, authenticated users escalate their privileges on the system.

In this detailed post, we'll break down how this vulnerability works, provide proof-of-concept details, and show you what you need to look out for on your own systems. We'll also give you references to original Intel advisories and talk about how you can fix or mitigate the problem.

What is CVE-2022-36377?

CVE-2022-36377 is a local privilege escalation bug in Intel NUC Kit Wireless Adapter drivers for Windows 10, before version 22.40.

Summary:  
When you install older versions of the Intel® Wireless Adapter driver, some files and directories are given permissions that are too broad. This could allow any authenticated local user (someone who can log in) to alter those files—like drivers or executables—possibly tricking the system into running their own malicious code with higher privileges.

CVSS Score: View on NVD  
Intel Advisory: INTEL-SA-00655

Breaking Down the Vulnerability

When software is installed on Windows, the installer (often setup.exe) is supposed to set secure permissions on all files and folders it creates. If permissions are too broad (like giving Everyone or Authenticated Users full control), a limited user can overwrite or replace files that get loaded by higher-privilege processes.

In CVE-2022-36377:  
The Intel® NUC driver installer accidentally set insecure permissions on directories holding driver files. Specifically, it set permissions like "Full Control" for all authenticated users, which means any local user could replace those files—even though they typically should require administrator rights.

This issue is a classic example of an "Unquoted Service Path" or "Insecure Permissions" vulnerability.

Attacker logs in as a standard (non-admin) user.

2. Locates the driver files/folders with insecure permissions.

The payload runs with system or administrative privileges.

This pathway lets a regular user—who should have limited capability—become a powerful attacker with total control of your PC.

Proof-of-Concept (PoC) Steps

Note: Do this only on a test system! Never attack or exploit systems you do not own or have permission to test.

1. Find the Vulnerable Folders

# Replace with the typical driver path found on Intel NUCs
$driverPath = "C:\Program Files\Intel\Wireless"
icacls $driverPath

Sample (insecure) output

C:\Program Files\Intel\Wireless BUILTIN\Users:(OI)(CI)(M)
                                  BUILTIN\Administrators:(OI)(CI)(F)
                                  NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                  Everyone:(OI)(CI)(F)

If you see Everyone or BUILTIN\Users with anything more than Read, it's insecure.

2. Replace an Executable or DLL

Copy a simple test binary (like cmd.exe or your own small .exe file) over a supporting executable or DLL, using your normal user account.

copy C:\Windows\System32\cmd.exe "C:\Program Files\Intel\Wireless\iwlwifi.exe"

3. Trigger the Service

Restart the PC, or restart the Intel Wireless service if possible.

4. Privilege Escalation

When the service (usually running as SYSTEM/Administrator) attempts to run what it expects is the real driver or helper executable, your code is executed with elevated rights.

Real World Example

Imagine:

Mitigation and Fixes

Intel's Solution:  
Upgrade to Intel® NUC Kit Wireless Adapter drivers v22.40 or later. These versions set correct NTFS permissions on all driver files and directories.

- Download Updated Drivers

Manual Mitigation:  
- Use icacls or Windows Explorer to audit/set permissions on all Intel Wireless directories. Only SYSTEM and Administrators should have write access.

Example command to lock down permissions

icacls "C:\Program Files\Intel\Wireless" /remove Everyone
icacls "C:\Program Files\Intel\Wireless" /grant Administrators:(OI)(CI)F SYSTEM:(OI)(CI)F

References & Further Reading

- Intel Security Advisory (INTEL-SA-00655)
- National Vulnerability Database (CVE-2022-36377)
- Mitre CVE List - CVE-2022-36377
- Blog: What Are Insecure Permissions?

Conclusion

CVE-2022-36377 is a perfect reminder that even a tiny misstep in installer configuration can open serious holes in your security. If you're running an Intel NUC, make sure you update your drivers ASAP. If you manage a lot of Windows servers, consider regular audits for misconfigured file and directory permissions—it's an easy win for your defense.

Stay updated, stay secure. 🚀

*This post is a unique, exclusive guide to CVE-2022-36377, written in plain language for easy understanding. Always practice responsible disclosure and never use these techniques on unauthorized systems.*

Timeline

Published on: 11/11/2022 16:15:00 UTC
Last modified on: 11/16/2022 16:27:00 UTC