Windows "EventLogCrasher" 0-day vulnerability crashes event logging; 0patch micro-patch available

Windows[German]On January 23, 2024, a vulnerability became known that could cause event logging under Windows to crash. The vulnerability, known as EventLogCrasher, can also be exploited remotely in Windows clients and Windows servers and there is still no patch from Microsoft. However, the founder of ACROS-Security contacted me last night because he has provided a micro-patch for his 0patch agent for all affected Windows versions. The solution is free for all Windows users. Here is some information.


Windows "EventLogCrasher" 0-day vulnerability

On January 23, 2024, security researcher Florian published notes and a proof of concept on a vulnerability (see the following tweet) that allows any authenticated user in a Windows environment (including in a Windows domain) to crash the Windows event log service either locally or on any remote computer. From this point on, no more events would be recorded, ideal conditions for disguising an attack.

Windows "EventLogCrasher"

Florian contacted Microsoft and reported this bug, but received feedback from the MSRC that the vulnerability did not meet the requirements for a patch (referred to as maintenance). In addition, the Microsoft security team stated that the reported bug was a "duplicate of another bug from 2022 that did not meet the requirements for maintenance." This prompted Florian to publish a proof of concept (PoC) on GitHub for the EventLogCrasher.

The PoC exploit is quite simple: a single call to RegisterEventSourceW is enough to retrieve a handle to an event log on the specified computer. With appropriate manipulations of the in-memory structure, the PoC exploit causes the receiving event log service to crash via a null pointer dereference. The attack only takes one second and works reliably.

Windows has a possibility to restart a crashed event log service – but this will be done only 3 times, as some readers reported within my German blog.

0patch micro-patch as a fix

Mitja Kolsek pointed me to his following tweet and the 0patch post The "EventLogCrasher" 0day For Remotely Disabling Windows Event Log, And a Free Micropatch For It  in a direct message the other night.


"EventLogCrasher" 0patch Micro Patch

The bug probably affects all Windows systems from Windows 7 to Windows 11 as well as the corresponding server counterparts. Mitja Kolsek has investigated the whole thing and writes that the security and system events are not lost because they are stored in an internal queue. Windows then regularly attempts to log all events in the queue until this is finally successful.

Details of the problem

The event queue, which is probably located in memory, is saved to disk when the system is properly shut down or restarted, and is read back in when the system is restarted. As soon as the event log service is running again, the queue is emptied into the corresponding logs, but with the correct time stamps. However, if an attacker succeeds in crashing the system via a blue screen, these events are lost in the queue.

So far, ACROS Security developers have found that an attacker with low privileges can crash the event log service on both the local computer and any other Windows computer on the network that they can authenticate to. In a Windows domain, this means all domain computers, including domain controllers. The Windows firewall can't prevent this either, Kolsek writes, because the attack occurs via a named pipe (i.e. the SMB protocol).

Micro-patch available free of charge for all

Mitja Kolsek writes that the micro-patch developed for the above vulnerability, like all 0day patches, is free and will remain so until Microsoft provides an official patch for it. All users need to do to apply the patch is to register a 0patch account and install the 0patch agent on their Windows system.

I won't go into the details here. ACROS Security is no stranger to blog readers (see the following links). They analyze vulnerabilities and provide micropatches to close the security gaps. The micropatches are loaded into memory at runtime via the 0patch agent and ensure that the vulnerabilities can no longer be exploited. You can find information on how the 0patch agent works, which loads the micropatches into the memory of an application at runtime, in the blog posts (such as this one).

Similar articles
Wow! Windows 7 get extended support until January 2023
Prices for Windows 7 Extended Security Updates till 2023
Windows 7: Free Extended Update Support and usage

Windows 7: Securing with the 0patch solution – Part 2 – Teil 2
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial

0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2
0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec
0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability
0patch fixes 0-day in Internet Explorer
0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R2
0patch fixes Windows Installer LPE-Bug (CVE-2021-26415)
0Patch provides support for Windows 10 version 1809 after EOL
Windows 10 V180x: 0Patch fixes IE vulnerability CVE-2021-31959
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 6, 2021)
2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)
Windows 10: 0patch fix for MSHTML vulnerability (CVE-2021-40444)
0patch fixes LPE Vulnerability (CVE-2021-34484) in Windows User Profile Service
0patch fixes LPE vulnerability (CVE-2021-24084) in Mobile Device Management Service
0patch fixes InstallerTakeOver LPE 0-day vulnerability in Windows
0patch fixes ms-officecmd RCE vulnerability in Windows
0patch fixes RemotePotato0 vulnerability in Windows
0patch fixes again vulnerability CVE-2021-34484 in Windows 10/Server 2019
0Patch fixes vulnerabilities (CVE-2022-26809 and CVE-2022-22019) in Windows
Windows MSDT 0-day vulnerability "DogWalk" receives 0patch fix
0patch fixes all known and exploitable Windows NTLM/Kerberos vulnerabilities
0patch fixes Memory Corruption vulnerability (CVE-2022-35742) in Microsoft Outlook 2010

Windows 7/Server 2008 R2 receive 0patch micropatches in 2023 and 2024
Windows: 0Patch Micropatch for MOTOW ZIP file bug (0-day, no CVE)
Windows: 0Patch micropatch for MotW bypassing 0-day (no CVE)
0patch secures Microsoft Edge for Windows 7/Server 2008/2012/R2 until Jan. 2025
0patch Micropatches for Microsoft Office security feature bypass (CVE-2023-33150)

Cookies helps to fund this blog: Cookie settings

This entry was posted in issue, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *