Microsoft Event Log vulnerabilities threaten some Windows operating systems

A pair of newly discovered vulnerabilities have highlighted the ongoing risks posed by Internet Explorer’s (IE) deep integration into the Windows ecosystem, despite Microsoft ending support for IE in June 2022.

Discovered by the Varonis Threat Labs team, the exploits affect an IE-specific Event Log that is present on all current Windows operating systems up to, but not including, Windows 11. The vulnerabilities, dubbed LogCrusher and OverLog by the researchers, have been reported to Microsoft, which released a partial patch on October 11, 2022. Teams are urged to patch systems and monitor suspicious activity to mitigate security risks which include event log crashing and remote denial-of-service (DoS) attacks.

Exploits affect functions of Microsoft Event Log Remoting Protocol

In a Varonis Threat Labs blog posting, security researcher Dolev Taler wrote that both LogCrusher and OverLog use functions of the Microsoft Event Log Remoting Protocol (MS-EVEN), which allows for remote manipulation of a machine’s event logs. A Windows API function (OpenEventLogW) allows a user to open a handle for a specific event log on a local or remote machine and is useful for services that can use it to read, write, and clear event logs for remote machines without the need to connect manually to the machines themselves, the researcher added.

“By default, low-privilege, non-administrative users cannot get a handle for event logs of other machines. The one exception to this is the legacy Internet Explorer log – which exists in every Windows version and has its own security descriptor that overrides the default permissions,” the blog read.

LogCrusher crashes Event Log application of Windows machines

The LogCrusher exploit is an ElfClearELFW logic bug that allows any domain user to remotely crash the Event Log application of any Windows machine on the domain, Varonis Threat Labs stated. “Unfortunately, the ElfClearELFW function has an improper input validation bug. It expects that the BackupFileName structure will be initialized with a zero value, but when the pointer to the structure is NULL, the process crashes,” Dolev wrote. By default, the Event Log service will try to restart itself two more times, but on the third time it will stay down for 24 hours. Many security controls rely on the normal operation of the Event Log service, and the impact of the crashing means that security controls can become blind, attached security control products can stop working and attackers can use any type of usually detected exploit or attack with impunity as many alerts won’t trigger, the blog continued.

OverLog can be used to launch remote DoS attacks on Windows machines

The OverLog vulnerability (CVE-2022-37981) can be used to exploit the BackupEventLogW function and launch a remote DoS attack by filling the hard drive space of any Windows machine on the domain, Taler stated. “The bug here is even more simple, and although it says in the documentation that the backup user needs to have SE_BACKUP_NAME privilege, the code does not validate it – so every user can backup files to a remote machine if they have write access to a folder on that machine,” he wrote. He also provided the following attack flow example:

1. Get a handle to the Internet Explorer Event Log on the victim machine
2. Write some arbitrary logs to the Event Log (random strings; different lengths)
3. Back up the log to a writeable folder on the machine (example: “c:windowstasks”) that every domain user has write permission to by default
4. Repeat the backup process until the hard drive is full and the computer ceases operation
5. Victim machine is unable to write “pagefile” (virtual memory), rendering it unusable

Patch reduces risks, teams urged to monitor suspicious activity

Microsoft has opted not to fully fix the LogCrusher vulnerability on Windows 10 (more recent operating systems are unaffected), according to Taler. “As of Microsoft’s Oct. 11, 2022 Patch Tuesday update, the default permissions setting that had allowed non-administrative users access to the Internet Explorer Event Log on remote machines has been restricted to local administrators, greatly reducing the potential for harm,” he added. However, while this addresses this particular set of IE Event Log exploits, there remains potential for other user-accessible application Event Logs to be similarly leveraged for attacks, Taler warned. Therefore, the Microsoft-applied patch should be applied to all potentially vulnerable systems and security teams should monitor for suspicious activity, he concluded.

Speaking to CSO, Tope Olufon, Senior Analyst at Forrester, says, “While this vulnerability should be patched, I would not classify the situation as high risk at this time. It requires a user account, and if that has been compromised, you will likely have bigger problems. Also, a patch has already been released (an administrator account is now needed for compromise, same point as above). Recommendations here are to install the Microsoft patch and monitor unusual write activity on crown jewels. Looking ahead, this is one of many vulnerabilities that will be discovered as Internet Explorer goes into extinction.”