[NT] A Full Event Log Does Not Send Administrative Alerts

From: support@securiteam.com
Date: 10/17/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 17 Oct 2002 01:34:17 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  A Full Event Log Does Not Send Administrative Alerts
------------------------------------------------------------------------

SUMMARY

A security vulnerability in Microsoft's Windows operating system causes it
to not inform the administrator whenever the Event Log has been filled
(even if it has been instructed to do so), this would allow an attacker to
hide his tracks by filling up the Event Log prior to attacking the system.

DETAILS

Affected OS:
 * Windows 2000 (server and professional) up to and including SP2
 * Windows XP Professional (no SP, the initial version only)

Solution:
Applying Windows 2000 SP3 or Windows XP SP1.

If you define that an Event Log will not overwrite itself but will stop
logging when it is full - and you also set that this PC will send
administrative alerts - these alerts are never sent when ANY Event Log
type (not only security), this means that no further logging is preformed
until the administrator (which is unaware of the need) frees the Event
Log.

Attached links to articles explaining of how to set up administrative
alerts under Windows 2000 and XP:
 * <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q243625>
Q243625 - How to Configure Administrative Alerts in Windows 2000
 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310490> Q310490
- HOW TO: Set Up Administrative Alerts in Windows XP

Vulnerability's effect:
The problem here, mostly with the security Event Log - is that the log can
be filled (by normal security logging operation by the OS or by a
malicious attacker filling the log with bogus events, just to fill up to
the log to the point it will stop logging) and when the log is full - then
any malicious or regular security events are not being logged (and no
administrator is aware of the fact the log should be cleared).

This can also be risky for the system Event Log (Eitan thinks it is the
system type) if it can't log the fact that a drive is being almost full -
this can lead to an OS / Application corrupt up to a crash.

No exploit programs are required, but rather any program that can fill up
the security Event Log with bogus events can help attackers.

ADDITIONAL INFORMATION

The information has been provided by <mailto:eitancaspi@yahoo.com> Eitan
Caspi.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages