CVE-2022-22047
CSRSS, activation context cache poisoning via impersonated device map
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | csrss.exe |
| Vulnerability Class | Logic Bug / Design Flaw |
| Exploited ITW | Yes |
| CVSS | 7.8 |
The Story
This vulnerability was burned as a zero-day by KNOTWEED (also known as DSIRF), an Austrian hack-for-hire group that sold surveillance tooling to government clients. It is a pure logic bug, no memory corruption involved, and it exploits a subtle trust assumption in how CSRSS resolves filesystem paths during impersonation.
CSRSS (Client/Server Runtime Subsystem) runs as SYSTEM and performs filesystem operations while impersonating client processes. The critical detail: when CSRSS impersonates a client, it uses that client's device map to resolve drive letters like C:. The code does not set OBJ_IGNORE_IMPERSONATED_DEVICEMAP on the object attributes, which means the impersonating thread navigates the attacker's filesystem namespace rather than the system's.
How the Attack Works
The attacker remaps the drive root (for example, C:) for their own session, creating a directory junction or symbolic link that redirects path resolution. When CSRSS impersonates the attacker's thread and performs a filesystem operation (such as loading a DLL or looking up an activation context), it resolves C:\Windows\... using the attacker's device map instead of the system device map. CSRSS ends up loading attacker-controlled content from the redirected path, and because CSRSS runs as SYSTEM, the attacker's payload executes with SYSTEM privileges.
No memory corruption. No race condition. No heap manipulation. Just a missing flag on an object attribute structure, and a privileged service that trusts the wrong namespace during impersonation.
Patch Analysis
The patch adds OBJ_IGNORE_IMPERSONATED_DEVICEMAP to object attribute flags in CSRSS's filesystem operations during impersonation, ensuring the system device map is always used regardless of the impersonation context.
Broader Significance
CVE-2022-22047 belongs to the impersonated device map vulnerability class, a pattern where privileged Windows services resolve filesystem paths using a client's namespace during impersonation. This same bug class appeared in the Print Spooler (CVE-2022-41073) and potentially affects any SYSTEM service that performs filesystem operations while impersonating. The KNOTWEED/DSIRF attribution makes this CVE notable as a commercial exploitation tool, demonstrating that logic bugs in Windows service impersonation are valued by surveillance vendors alongside more traditional memory corruption vulnerabilities.