CVE-2022–29333 Privilege Escalation Power Director 14 — Exploiting GUI Weakness

Joas Antonio
4 min readMay 26, 2022


A little while ago I saw a video of a PoC of CVE-2022–0354 where the researcher found a vulnerability in a native application of his lenovo notebook which allowed to escalate privileges exploiting a very curious factor.

And based on that, I decided to start my research that gave good results. But which vulnerability exactly am I talking about?

Imagine an application running in Administrative mode and you with users with common permissions can’t do much, but by a simple interaction with the application’s GUI and you can open an administrative Command Prompt from a simple Save As?

Still don’t understand? Watch these 2 videos, but don’t worry, I’ll show you in practice!


CVE-2022–29333 — My CVE

Inspired by the exploration method of CVE 0354, I did the same process in countless other applications, I can say that I got a surprising result which generated the first CVE of this PoC of several that may come with the reports I made.

And I even had the honor of being my second CVE that appears in a Bulletins]

In practice

Details: Vulnerability in Power Director 14, allows me to save a promotion link and run a reverse shell as admin if power director is running as admin.
Now let’s understand better how exploration is!
First I ran a normal CMD for you to understand the level of privileges I have

I ran Power Director which is already enabled to run as Administrator. And now the crucial detail is that I noticed the discount advertisement in the application that allowed me to right-click to interact.

I clicked on Save Destination, and after that click it will open explorer.exe and at that moment that will be crucial

Notice that I typed C:\Windows\system32\cmd.exe in the path, so when I click “GO TO” it will open CMD.exe for me in an administrative way

And this is the result!

Privileges successfully escalated and now just create a user and put him in the admin group for you to have fun.

Is a reverse shell possible?

In my research I also made tests creating some malicious executables, I’ll leave the video below using the same vector to get a privileged shell using Metasploit.

Mitre Att&ck

Yes! It can be a technique that malicious attackers and even insiders can use to exploit a corporate environment, as it is both simple and dangerous.

Below is the technique and my contribution as well.

T1068 — Exploitation for Privilege Escalation

How many applications are vulnerable and how to remedy?

So far, I have tested it in 13 applications and obtained positive results in 13, as it is not a loophole in itself that needs to develop an Exploit to exploit it, in addition to being a local and not a remote technique.

But the biggest question is how developers create their applications and how the user interface interacts with the system, because what I do is explore native system resources, after all, no one would imagine that if I somehow manage to open explorer.exe, could run an executable inside the application process and get an administrative shell.


I summarize a lot, I wish I had done something academic level, but I want to deepen my research to go further, involving Defense Evasion and the like. But I’m happy to answer any questions!