Two Windows Event Log Bugs Allow Hackers to Remotely Block Event Log Applications


It was recently revealed by security researchers from Varonis Threat Labs that Microsoft Windows has two event log vulnerabilities, one of which can be exploited to cause a denial of service attack.

The pair of vulnerabilities named by Varonis security analysts are as follows:-

In addition, it appears that these two vulnerabilities mainly targeted the MS-EVEN (EventLog Remoting Protocol). By doing so, threat actors will be able to access event logs from a remote location.

This year, on June 15, Microsoft officially announced that it had completely ended support for IE (Internet Explorer). But, there are still security and stability issues associated with IE as it has deep integration with the Windows ecosystem.

WASH

It is suspected that OverLog can cause DoS attack on Windows computer by filling up all available space on its hard drive.

CVE-2022-37981 has been attributed to OverLog and its CVSS score is 4.3. Microsoft addressed this vulnerability in its October Patch Tuesday update to address this vulnerability. However, the LogCrusher issue has yet to be resolved, so it remains unfixed.

Criticism

A Windows API function called OpenEventLogW allows users to open the handle to an event log on a remote or local machine based on information provided in the handle.

Two parameters are required by the function: –

  • lpUNCServerName
  • lpSourceName

Low-privilege non-administrative users, by default, do not have access to event logs from other machines because they do not have the necessary privileges. There is one exception to this rule, and that is when it comes to old “Internet Explorer” log files.

IE’s security descriptor overrides the default permissions set in the browser and maintains its own security profile.

An event log can be cleared and backed up remotely using ElfClearELFW, which is an MS-EVEN function. And this function also involves two parameters and below we have mentioned them:-

However, there is a bug in the ElfClearELFW function that prevents it from correctly validating input. In order to understand the LogCrusher attack flow, it is necessary to consider these two functions.

It is possible to disrupt and/or reduce the performance of the service, but the attacker cannot cause the service to stop completely.

By obtaining a legacy log handle from Internet Explorer, an attacker can use this information to configure a leverage mechanism to be used for their attacks to perform the following malicious activities:-

  • Crash the event log
  • Initiate DoS Condition

Due to this flaw, it is possible to defeat the log backup function by combining it with another flaw. Using this technique, the threat actor will be able to create a writable folder on the targeted host and repeatedly save arbitrary logs there until the drive is full.

A patch from Microsoft, available for potentially vulnerable systems, should be applied to them as soon as possible and any suspicious activity should be carefully monitored.

Cyber ​​Attack with Zero Trust Networking – Download Free E-book

Previous Supply Chain Troubleshooting | Aviation professionals
Next Helping Blockchain Communities Fix Bugs | MIT News