Re[2]: [Full-disclosure] Fun with event logs (semi-offtopic)



Dear Michele Cicciotti,

--Thursday, December 21, 2006, 6:20:54 PM, you wrote to full-disclosure@xxxxxxxxxxxxxxxxx:

There is interesting thing with event logging on Windows. The only
security aspect of it is event log record tampering and performance
degradation, but it may become sensitive is some 3rd party software is
used for automated event log analysis.

MC> I doubt this. The event logs don't contain the actual formatted
MC> string, because the template string is localized and only retrieved
MC> when the entry is displayed - what is logged is just a message id
MC> and the string inserts (see documentation for EVENTLOGRECORD).
MC> FormatMessage (which is used to build the full message to display to
MC> the user) isn't the culprit, either, because it doesn't operate
MC> recursively (that would have bizarre consequences, since

As I wrote, my message is semi-offtopic, because it's more fun than
any security vulnerability here.

Yes, probably this bug only affects event viewer itself. I don't
understand how and why Microsoft achieved this effect in event viewer,
which is, by the way, security tool, and if it's hard for different
vendor to make same mistake. It doesn't look like Easter egg, but if
FormatMessage does not recursion it needs to be specially coded and it
does nothing except this bug. Bug, that needs to be specially coded is
new funny bug category, isn't it?

--
~/ZARAZA
http://www.security.nnov.ru/



Relevant Pages

  • Re: AspErrorsToNTLog no longer works in IIS6
    ... The security implication is that anonymous remote requests can be used to ... fill the event log and cause the server to stop responding (for very legal ... > logic for further disabling it. ... How about using the web log file? ...
    (microsoft.public.inetserver.iis)
  • Viewing Event Logs
    ... How to set event log security locally or by using Group Policy in Windows ... Descriptor Definition Language (SDDL) syntax. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AspErrorsToNTLog no longer works in IIS6
    ... Am I to assume IIS6 no longer offers a way to audit VBScript errors? ... >>when the security log is full has any relevance. ... Is event log performance significantly ... > log instead of the normal log file) was flawed from a security perspective, ...
    (microsoft.public.inetserver.iis)
  • Re: Access 2000 to Access 2003 conversion
    ... bug be fixed or is it not a bug anymore? ... > To avoid the security warning in A2003, ... > form that has a subform. ... >> The event id in the event log is 1000. ...
    (microsoft.public.access.conversion)
  • Re: Writing to Windows Security Log
    ... UNIX syslog-the-network-protocol is that it's UDP - ... a Windows application or service ... equivalent source of bogus data into an Event Log stream ... to the>Security< Event Log are the LSA and the Event ...
    (Pen-Test)