Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products

Remote attackers could exploit two Event Log vulnerabilities in Windows to crash the Event Log application and cause a denial-of-service (DoS) condition, Varonis warns.

Event Log is an Internet Explorer-specific application that exists in all Windows iterations, due to the deep integration of the browser with the operating system.

Remote attackers could exploit two Event Log vulnerabilities in Windows to crash the Event Log application and cause a denial-of-service (DoS) condition, Varonis warns.

Event Log is an Internet Explorer-specific application that exists in all Windows iterations, due to the deep integration of the browser with the operating system.

Due to the specific set of permissions that Event Log has, two security defects haunt all Windows iterations up to Windows 10, even with Microsoft ending support for Internet Explorer in June 2022.

Called LogCrusher, the first of the exploits could allow a domain user to crash the Event Log on any Windows machine on the domain, remotely.

The second exploit, called OverLog and tracked as CVE-2022-37981, allows a remote attacker to fill the hard drive of a Windows machine with log data, causing a denial-of-service (DoS) condition.

The two exploits abuse the Microsoft Event Log Remoting Protocol (MS-EVEN), which exposes remote procedure call (RPC) methods to remote access. Specifically, they abuse OpenEventLog, a function that allows privileged users to read, write, and clear event logs on remote machines.

“By default, low-privilege, non-administrative users cannot get a handle for event logs of other machines. The one exception to this is the legacy ‘Internet Explorer’ log — which exists in every Windows version and has its own security descriptor that overrides the default permissions,” Varonis explains.

The first issue is an improper input validation bug in ElfClearELFW, a function that allows remote administrators to clear and back up event logs, which crashes the Event Log process when the backup file parameter is NULL.

An attacker can call the OpenEventLog function for the Internet Explorer Event Log and then call the vulnerable function with a NULL parameter, which crashes the Event Log application on the victim machine.

By default, the Event Log service attempts to restart itself two more times, after which it shuts down for 24 hours, impacting all security services that rely on it and potentially allowing attackers to use known exploits, as many alerts would not trigger, Varonis notes.

“Security control products, in some cases, attach themselves to the service! This means that when it crashes for good, the product will also crash and burn alongside it,” Varonis explains.

The second exploit targets a flaw in the BackupEventLogW function and could lead to a permanent DoS condition on every Windows machine, Varonis says.

The vulnerability can be exploited by any user that has write access to a remote machine – meaning they can back up files to that system.

To exploit the vulnerability, an attacker with a handle on the Internet Explorer Event Log on the victim machine can write arbitrary logs to the Event Log service and then back up the log to a writable folder on that machine until the hard drive is full and the machine can no longer write ‘pagefile’, causing a DoS.

Microsoft has released patches for these issues on October 2022 Patch Tuesday, by modifying the default permissions settings to restrict Internet Explorer Event Log access on remote machines to local administrators only.

“While this addresses this particular set of Internet Explorer Event Log exploits, there remains potential for other user-accessible application Event Logs to be similarly leveraged for attacks,” Varonis says.

Related: Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws

Related: Microsoft Makes Windows Autopatch Generally Available

Related: Windows Updates Patch Actively Exploited ‘Follina’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.