[German]Security researchers at Varonis Threat Labs have uncovered two Windows vulnerabilities that can create large blind spots for security software and take down machines via DoS attacks. LogCrusher and OverLog exploit the Internet Explorer-specific MS-EVEN event log, which is present on all current Windows operating systems, regardless of whether the browser was or is used. While OverLog has been fixed in the meantime, Microsoft recently issued only a partial patch for LogCrusher. Cybercriminals can therefore still carry out attacks if they gain administrator access to the victim's network.
The Microsoft Event Log Remoting Protocol
The LogCrusher and OverLog exploits use features of the Microsoft Event Log Remoting Protocol (MS-EVEN), which allows remote manipulation of a computer's event logs. OpenEventLogW is a Windows API function that allows a user to open a handle to a specific event log on a local or remote machine. This feature is useful for services that can use it to read, write, and clear event logs for remote computers without requiring a manual connection to the computers themselves.
By default, users with low privileges who are not administrators cannot gain access to the event logs of other computers. The only exception is the old Internet Explorer log, which is present in every version of Windows and has its own security descriptor that overrides the default permissions. This ACL allows any user to read and write logs. Thus, an attacker can obtain a log handle for any Windows machine in the domain from any domain user. This forms the basis for the two exploits.
LogCrusher enables any domain user to remotely crash the event log application of any Windows machine in the domain. To do this, the OpenEventLog function for the IE event log must be called on the victim machine:
Handle = OpenEventLog(<victim computer>, internet explorer
The ElfClearELFW function is then executed with the returned handle and NULL as the BackupFileName parameter: ElfClearELFW(Handle, NULL. In this simple way, the event log is crashed on the victim's machine.
By default, the event log service will try to restart itself two more times. The third time, it remains locked for 24 hours. As a result, many security controls depend on the normal operation of the event log service and are correspondingly blind without logs. Some security solutions are also directly connected to the service.
When it fails, the security software also crashes and consequently can no longer trigger alerts. This allows cybercriminals to carry out attacks that would normally be detected.
The exploit makes use of a bug in the ElfClearELFW function, which was already reported to Microsoft two years ago by the security researcher "limbenjamin". However, at the time it was not possible to exploit the vulnerability from a normal, non-administrative user account (and Internet Explorer), so the impact was unclear and Microsoft decided not to patch the vulnerability.
Using OverLog, denial-of-service (DoS) attacks can be carried out by filling up the disk space of any Windows machine in the domain. The attack proceeds as follows: The attackers gain access to the Internet Explorer event log on the victim machine (as with LogCrusher), then write some arbitrary logs to the event log (random strings of varying lengths), and then store it on a machine to which every domain user has write permission by default.
This process is repeated until the hard drive is full and the computer stops operating. In the process, the victim is unable to write to the swap file (virtual memory), rendering the system inoperable.
The colleagues at Bleeping Computer has reported here, that thread actors are now hiding malware in Windows Event Logs.
Reaction and recommendations from Microsoft
Microsoft has chosen not to fully patch the LogCrusher vulnerability on Windows 10 (newer operating systems are not affected), unlike the OverLog vulnerability, which has been fully fixed.
Microsoft's October 11, 2022 Patch Tuesday update restricted the default privilege setting that allowed non-administrative users to access the Internet Explorer event log on remote machines to local administrators, significantly reducing the potential for damage.
However, if cybercriminals succeed in gaining administrator access to the victim's network, LogCrusher attacks are still possible. In addition, there is still a possibility that other event logs from applications that users can access could be similarly abused for attacks.
Therefore, all Windows users should install the patch provided by Microsoft and monitor any suspicious activity. More technical details and information can be found in the related Varonis blog post.
Cookies helps to fund this blog: Cookie settings