Security News > 2022 > October > Researchers Detail Windows Event Log Vulnerabilities: LogCrusher and OverLog

Researchers Detail Windows Event Log Vulnerabilities: LogCrusher and OverLog
2022-10-25 12:46

The exploits, dubbed LogCrusher and OverLog by Varonis, take aim at the EventLog Remoting Protocol, which enables remote access to event logs.

While the former allows "Any domain user to remotely crash the Event Log application of any Windows machine," OverLog causes a DoS by "Filling the hard drive space of any Windows machine on the domain," Dolev Taler said in a report shared with The Hacker News.

The issues, according to Varonis, bank on the fact that an attacker can obtain a handle to the legacy Internet Explorer log, effectively setting the stage for attacks that leverage the handle to crash the Event Log on the victim machine and even induce a DoS condition.

This is achieved by combining it with another flaw in a log backup function to repeatedly backup arbitrary logs to a writable folder on the targeted host until the hard drive gets filled.

Microsoft has since remediated the OverLog flaw by restricting access to the Internet Explorer Event Log to local administrators, thereby reducing the potential for misuse.

"While this addresses this particular set of Internet Explorer Event Log exploits, there remains potential for other user-accessible application Event Logs to be similarly leveraged for attacks," Taler said.


News URL

https://thehackernews.com/2022/10/researchers-detail-windows-event-log.html