CVE-2022-41073
Print Spooler -- drive root remapping during impersonation
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | spoolsv.exe / printfilterpipelinesvc.exe |
| Vulnerability Class | Logic Bug / Design Flaw |
| Exploited ITW | Yes |
| CVSS | 7.8 |
Root Cause
Same class of bug as CVE-2022-22047: a privileged Windows service performs filesystem operations under impersonation without protecting against device map manipulation. In this case the target is printfilterpipelinesvc.exe, which runs as SYSTEM.
The attacker remaps the drive root for a thread impersonating a low-privileged user, then triggers a file operation in the Print Filter Pipeline Service. The service resolves the path using the attacker's device map, loading content from an attacker-controlled location with SYSTEM privileges.
This shares the same root cause as CVE-2022-29104 (an earlier, incomplete fix for the same bug class in the Print Spooler).
Exploitation
Trigger a print job that causes printfilterpipelinesvc.exe to load a filter DLL or configuration file. With the drive root remapped, the service loads the attacker's file instead. Code execution as SYSTEM follows directly.
Patch Analysis
The fix adds OBJ_IGNORE_IMPERSONATED_DEVICEMAP to filesystem operations in the Print Filter Pipeline Service, matching the approach used for CVE-2022-22047 in CSRSS.