CVE-2022-41073
Print Spooler, drive root remapping during impersonation
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | spoolsv.exe / printfilterpipelinesvc.exe |
| Vulnerability Class | Logic Bug / Design Flaw |
| Exploited ITW | Yes |
| CVSS | 7.8 |
The Story
The Print Spooler has been a recurring source of Windows privilege escalation bugs, from PrintNightmare to this. CVE-2022-41073 is the same class of bug as CVE-2022-22047: a privileged Windows service performs filesystem operations under impersonation without protecting against device map manipulation. The target this time is printfilterpipelinesvc.exe, the Print Filter Pipeline Service, which runs as SYSTEM.
This vulnerability shares its root cause with CVE-2022-29104, an earlier and incomplete fix for the same bug class in the Print Spooler. The fact that the same impersonation device map issue had to be patched twice in different Print Spooler components underscores how pervasive the pattern is.
How It Works
The attacker remaps the drive root for a thread that impersonates a low-privileged user, then triggers a file operation in the Print Filter Pipeline Service. When the service needs to load a filter DLL or configuration file, it resolves the path using the attacker's device map instead of the system device map. The service loads content from an attacker-controlled location with SYSTEM privileges.
The attack chain is straightforward: trigger a print job that causes printfilterpipelinesvc.exe to load a filter DLL or configuration file. With the drive root remapped, the service loads the attacker's file instead. Code execution as SYSTEM follows directly. No memory corruption is involved.
Patch Analysis
The fix adds OBJ_IGNORE_IMPERSONATED_DEVICEMAP to filesystem operations in the Print Filter Pipeline Service, matching the approach used for CVE-2022-22047 in CSRSS.
Broader Significance
CVE-2022-41073 and CVE-2022-22047 together define the impersonated device map attack class. Any Windows service that runs as SYSTEM, impersonates clients, and performs filesystem operations without OBJ_IGNORE_IMPERSONATED_DEVICEMAP is potentially vulnerable. Google Project Zero's in-the-wild root cause analysis covered this CVE, indicating the bug class was being actively hunted by sophisticated threat actors. For researchers auditing Windows services, checking for missing OBJ_IGNORE_IMPERSONATED_DEVICEMAP flags during impersonated filesystem operations is now a standard audit item.