Two recently discovered vulnerabilities affect a specific Internet Explorer event log found on operating systems prior to Windows 11.
A pair of recently discovered vulnerabilities highlighted the ongoing risks posed by the deep integration of Internet Explorer (IE) into the Windows ecosystem, despite Microsoft ending support for IE in June 2022. Discovered by the Varonis Threat Labs team, the exploits affect an IE – specific event log present on all current Windows operating systems up to, but not including, Windows 11. The bugs, called LogCrusher and OverLog by researchers, have been reported to Microsoft, which released a partial patch on October 11, 2022. Teams are advised to patch systems and monitor suspicious activity to mitigate security risks, including event log crashes and Remote Denial of Service (DoS) attacks.
In a Varonis Threat Labs blog post, security researcher Dolev Taler wrote that LogCrusher and OverLog both use features of the Microsoft Event Log Remoting Protocol (MS-EVEN), which allow remote manipulation of event logs on a machine. A Windows API function (OpenEventLogW) allows a user to open a handle to a specific event log on a local or remote machine and is useful for services that can use it to read, write, and clear event logs. events for remote machines without the need to manually connect to the machines themselves, the researcher added. “By default, low-privileged non-administrator users cannot get handles to event logs from other machines. The only exception to this is Internet Explorer’s Legacy Log – which is present in all versions of Windows and has its own security descriptor that overrides the default permissions,” it says in the blog.
LogCrusher blocks the Event Log application from Windows machines
The LogCrusher exploit is an ElfClearELFW logic flaw that allows any domain user to remotely control the Event Log application on any Windows machine in the domain, Varonis Threat Labs said. “Unfortunately, the ElfClearELFW function has an incorrect input validation error. It expects the BackupFileName structure to be initialized with a null value, but when the pointer to the structure is NULL, the process crashes,” wrote Dolev Taler. By default, the event log service will try to restart itself two more times, but the third time it will be inactive for 24 hours.Many security controls rely on the normal operation of the event log service, and the impact of the crash means that security controls can go blind, connected security control products can stop working, and attackers can use any type of exploit or attack that would normally be detected with impunity, as many alarms don’t go off, the blog continues.
The OverLog vulnerability (CVE-2022-37981) can be used to exploit the BackupEventLogW feature and launch a remote DoS attack by filling hard disk space on any Windows machine in the domain, Dolev Taler said. “The bug here is even simpler, and even though the documentation says the backup user should have the SE_BACKUP_NAME privilege, the code doesn’t validate that – so each user can back up files to a remote machine and he has write access to a folder on that machine ,’ he wrote. He also provided an example attack timeline:
1/ Obtaining a descriptor from the Internet Explorer event log on the victim machine;
2/ Writing arbitrary logs to the event log (random strings; different lengths);
3/ Backing up the log in a writable folder on the machine (example: “c:windowstasks”), where each domain user has default write permission;
4/ Repeat the backup process until the hard drive is full and the computer stops working;
5/ The victim machine’s inability to write a swap file to virtual memory, rendering it unusable.
Fix reduces risk, teams encouraged to monitor suspicious activity
Microsoft chose not to fully patch the LogCrusher vulnerability on Windows 10 (newer operating systems are unaffected), according to Dolev Taler. “According to Microsoft’s update on Tuesday, October 11, 2022, the default permission settings that allowed non-administrative users to access the Internet Explorer event log on remote machines are limited to local administrators, greatly reducing the risk of harm,” he added. But while this addresses this particular set of IE event log exploits, there is still the potential for other user-accessible application event logs to be similarly exploited for attacks, Taler warned. Therefore, the patch applied by the Redmond company must be applied to all potentially vulnerable systems, and security teams must monitor suspicious activity, he concluded.