CVE-2022-22047
CSRSS -- activation context cache poisoning via impersonated device map
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | csrss.exe |
| Vulnerability Class | Logic Bug / Design Flaw |
| Exploited ITW | Yes |
| CVSS | 7.8 |
Root Cause
CSRSS (Client/Server Runtime Subsystem) performs filesystem operations while impersonating clients, but does so without setting OBJ_IGNORE_IMPERSONATED_DEVICEMAP on the object attributes. This means an impersonating thread uses the client's device map rather than the system device map when resolving drive letters.
An attacker can remap the drive root (e.g., C:) for a CSRSS thread by manipulating the device map during impersonation. When CSRSS subsequently loads DLLs or activation contexts from the remapped path, it loads attacker-controlled content instead of the legitimate system files.
The Austrian hack-for-hire group KNOTWEED (DSIRF) used this as a zero-day. The attack chain: set up a fake drive mapping, trigger an activation context lookup in CSRSS, and CSRSS loads the attacker's payload with SYSTEM privileges.
Exploitation
The attacker creates a directory junction or symbolic link that redirects CSRSS's DLL load path. During impersonation, CSRSS resolves the path using the attacker's device map, loads the malicious DLL, and executes it as SYSTEM. No memory corruption involved -- this is a pure logic bug exploiting the trust relationship between impersonation and filesystem resolution.
Patch Analysis
The patch adds OBJ_IGNORE_IMPERSONATED_DEVICEMAP to object attribute flags in CSRSS's filesystem operations during impersonation, ensuring the system device map is always used regardless of the impersonation context.