Windows systems threatened by Microsoft log flaws

Two recently discovered vulnerabilities impact a specific Internet Explorer event log present on operating systems prior to Windows 11.

A pair of newly discovered vulnerabilities highlighted the ongoing risks posed by the deep integration of Internet Explorer (IE) into the Windows ecosystem, despite Microsoft ending support for IE in June 2022. Discovered by the Varonis Threat Labs team, the exploits affect an IE-specific event log that is present on all current Windows operating systems up to, but not including, Windows 11. The flaws, dubbed LogCrusher and OverLog by researchers, have been reported to Microsoft, which released a partial patch on October 11, 2022. Teams are advised to patch systems and monitor suspicious activity to mitigate security risks, including event log crashes and remote denial of service (DoS) attacks.

In a Varonis Threat Labs blog post, security researcher Dolev Taler wrote that LogCrusher and OverLog both use features of the Microsoft Event Log Remoting Protocol (MS-EVEN), which allows remote manipulation of event logs of a machine. A Windows API function (OpenEventLogW) allows a user to open a handle to a specific event log on a local or remote machine and is useful for services that can use it to read, write, and clear event logs. events for remote machines without the need to manually connect to the machines themselves, the researcher added. “By default, low-privilege non-administrator users cannot obtain handles for event logs from other machines. The only exception to this is Internet Explorer’s Legacy Log – which exists in every version of Windows and has its own security descriptor that overrides the default permissions,” the blog states.

LogCrusher blocks the Event Log application from Windows machines

The LogCrusher exploit is an ElfClearELFW logic bug that allows any domain user to remotely crash the Event Log application of any Windows machine in the domain, Varonis Threat Labs said. “Unfortunately, the ElfClearELFW function has an incorrect input validation bug. It expects the BackupFileName structure to be initialized with a null value, but when the pointer to the structure is NULL, the process crashes,” Dolev Taler wrote. By default, the Event Log service will try to restart itself two more times, but the third time it will be idle for 24 hours. Many security controls rely on the normal operation of the Event Log service, and the impact of the crash means that security controls can go blind, connected security control products can stop working, and attackers can use any what type of exploit or attack usually detected with impunity as many alerts do not trigger, the blog continues.

The OverLog vulnerability (CVE-2022-37981) can be used to exploit the BackupEventLogW function and launch a remote DoS attack by filling up hard drive space on any Windows machine on the domain, Dolev Taler said. “The bug here is even simpler, and although it says in the documentation that the backup user must have the SE_BACKUP_NAME privilege, the code doesn’t validate it – so every user can back up files to a remote machine s ‘he has write access to a folder on this machine,’ he wrote. He also provided an example attack timeline:

1/ Obtaining a descriptor from the Internet Explorer event log on the victim machine;
2/ Writing arbitrary logs to the event log (random strings; different lengths);
3/ Backup of the log in a writable folder on the machine (example: “c:windowstasks”) on which each domain user has default write permission;
4/ Repeating the backup process until the hard drive is full and the computer stops working;
5/ Inability of the victim machine to write a swap file in virtual memory which makes it unusable.

Fix reduces risk, teams urged to monitor suspicious activity

Microsoft chose not to fully patch the LogCrusher vulnerability on Windows 10 (newer operating systems are unaffected), according to Dolev Taler. “According to Microsoft’s Tuesday, October 11, 2022 update, the default permissions setting that allowed non-administrative users to access the Internet Explorer event log on remote machines has been limited to local administrators, which which greatly reduces the risk of harm,” he added. However, while this fixes this particular set of IE event log exploits, there is still potential for other user-accessible application event logs to be similarly exploited for attacks, a warned Taler. Therefore, the patch applied by the Redmond firm must be applied to all potentially vulnerable systems and security teams must monitor suspicious activity, he concluded.

Leave a Comment