Security Experts:

Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products

Remote attackers could exploit two Event Log vulnerabilities in Windows to crash the Event Log application and cause a denial-of-service (DoS) condition, Varonis warns.

Event Log is an Internet Explorer-specific application that exists in all Windows iterations, due to the deep integration of the browser with the operating system.

Due to the specific set of permissions that Event Log has, two security defects haunt all Windows iterations up to Windows 10, even with Microsoft ending support for Internet Explorer in June 2022.

Called LogCrusher, the first of the exploits could allow a domain user to crash the Event Log on any Windows machine on the domain, remotely.

The second exploit, called OverLog and tracked as CVE-2022-37981, allows a remote attacker to fill the hard drive of a Windows machine with log data, causing a denial-of-service (DoS) condition.

The two exploits abuse the Microsoft Event Log Remoting Protocol (MS-EVEN), which exposes remote procedure call (RPC) methods to remote access. Specifically, they abuse OpenEventLog, a function that allows privileged users to read, write, and clear event logs on remote machines.

“By default, low-privilege, non-administrative users cannot get a handle for event logs of other machines. The one exception to this is the legacy ‘Internet Explorer’ log — which exists in every Windows version and has its own security descriptor that overrides the default permissions,” Varonis explains.

The first issue is an improper input validation bug in ElfClearELFW, a function that allows remote administrators to clear and back up event logs, which crashes the Event Log process when the backup file parameter is NULL.

An attacker can call the OpenEventLog function for the Internet Explorer Event Log and then call the vulnerable function with a NULL parameter, which crashes the Event Log application on the victim machine.

By default, the Event Log service attempts to restart itself two more times, after which it shuts down for 24 hours, impacting all security services that rely on it and potentially allowing attackers to use known exploits, as many alerts would not trigger, Varonis notes.

“Security control products, in some cases, attach themselves to the service! This means that when it crashes for good, the product will also crash and burn alongside it,” Varonis explains.

The second exploit targets a flaw in the BackupEventLogW function and could lead to a permanent DoS condition on every Windows machine, Varonis says.

The vulnerability can be exploited by any user that has write access to a remote machine – meaning they can back up files to that system.

To exploit the vulnerability, an attacker with a handle on the Internet Explorer Event Log on the victim machine can write arbitrary logs to the Event Log service and then back up the log to a writable folder on that machine until the hard drive is full and the machine can no longer write ‘pagefile’, causing a DoS.

Microsoft has released patches for these issues on October 2022 Patch Tuesday, by modifying the default permissions settings to restrict Internet Explorer Event Log access on remote machines to local administrators only.

“While this addresses this particular set of Internet Explorer Event Log exploits, there remains potential for other user-accessible application Event Logs to be similarly leveraged for attacks,” Varonis says.

Related: Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws

Related: Microsoft Makes Windows Autopatch Generally Available

Related: Windows Updates Patch Actively Exploited 'Follina' Vulnerability

view counter