Re: Writing to Windows Security Log

From: Tina Bird (tbird@precision-guesswork.com)
Date: 12/05/01 

Date: Wed, 5 Dec 2001 15:16:19 -0600 (CST)
From: Tina Bird <tbird@precision-guesswork.com>
To: Mr Rufus Faloofus <foofus@foofus.net>

Let me provide more details.

We all understand that one of the big problems with
UNIX syslog-the-network-protocol is that it's UDP -
not authenticated, not reliable. An evildoer who
wants to make my logs less trustworthy can easily
send bogus data to my central loghost, at a minimum
introducing nonsense into my audit stream, and at
a maximum, knocking the loghost off line.

As explained below, a Windows application or service
that registers itself with the Event Log service can
write messages to the Windows System and Application
Logs. So one way for me to introduce a roughly
equivalent source of bogus data into an Event Log stream
is to register an illegitimate application with
associated DLL with the Event Log service. I expect
that's a relatively straightforward thing to do, given
how easy it is to install back doors on Windows boxes --
although one doesn't typically write back doors with lots
of logging capabilities, it might make sense to create
a program that muddied up the logs.

However, the only things on a Windows box that can write
to the >Security< Event Log are the LSA and the Event
Log service itself, which have the SeAuditPrivilege.
This suggests that the Security Event Log has a much
higher level of assurance than anything in the off-the-shelf
UNIX world.

This conclusion startled me ;-) so I figured I'd ask this
group if anyone knew of a tool that would get around
this access restriction. Does that clarify what I'm
after?

thanks -- tbird

On Wed, 5 Dec 2001, Mr Rufus Faloofus wrote:

> At 07:26 PM 12/4/01 -0600, Tina Bird wrote:
> >Anyone out there have a tool that allows me to
> >forge Windows Security Event Log data?
>
> Depends what you mean by "forge," and what kind of access
> you have to the machine. To log an event, the Right Way is
> to register a DLL with your messages in it. It's not hard
> (see LOGEVENT.EXE from the resource kit, or section 15.2 in
> Marshall Brain's Win32 SYSTEM SERVICES: The Heart of Windows
> 95 and Windows NT [Prentice Hall PTR: NJ]: 1996), and you
> can roll your own.
>
> But these don't "forge" events, in the sense that the
> events they record are legitimate messages, and don't appear
> to come from bogus sources. So, for example, if you want
> to insert an apparent IIS message into a log (not using
> IIS), this would be hard. Also, we're assuming, so far,
> that you have NetBIOS access to the machine in question.
>
> If you want to insert arbitrary false messages into the
> files, that's complicated: the logging API doesn't permit
> it, and you'd be relegated (I think) to either finding a
> flaw in it-- like the recent discussions involving URLs
> with special characters embedded in them (but related to
> the security log, instead of the application log), or to
> programmatically editing the log files (which also is
> tricky, I bet).
>
> Does this help at all?
>
> --Foofus.
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • A full event log does not send administrative alerts
    ... urgent security hot fix and preferred to wait for the latest service packs. ... Windows 2000 up to and including ... If you define that an event log (from any kind, ... Q243625 - How to Configure Administrative Alerts in Windows 2000 ...
    (Bugtraq)
  • Re: Writing to Windows Security Log
    ... Writing to Windows Security Log ... > that registers itself with the Event Log service can ... For more information on SecurityFocus' SIA service which> automatically alerts you to the latest security vulnerabilities please see: ...
    (Pen-Test)
  • [NT] A Full Event Log Does Not Send Administrative Alerts
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability in Microsoft's Windows operating system causes it ... to not inform the administrator whenever the Event Log has been filled ... hide his tracks by filling up the Event Log prior to attacking the system. ...
    (Securiteam)
  • Re: AspErrorsToNTLog no longer works in IIS6
    ... The security implication is that anonymous remote requests can be used to ... fill the event log and cause the server to stop responding (for very legal ... > logic for further disabling it. ... How about using the web log file? ...
    (microsoft.public.inetserver.iis)
  • Viewing Event Logs
    ... How to set event log security locally or by using Group Policy in Windows ... Descriptor Definition Language (SDDL) syntax. ...
    (microsoft.public.windows.server.active_directory)