A pair of newly discovered vulnerabilities highlighted the ongoing risks posed by Internet Explorer (IE)’s deep integration into the Windows ecosystem, despite Microsoft ending support for IE in June 2022.

Discovered by the Varonis Threat Labs team, the exploits affect an IE-specific event log that is present on all current Windows operating systems up to, but not including, Windows 11. The vulnerabilities, dubbed LogCrusher and OverLog by researchers, have been reported. to Microsoft, which released a partial patch on October 11, 2022. Teams are encouraged to patch systems and Monitor Suspicious Activity to mitigate security risks, including event log crashes and denial of service attacks ( DoS) remotely.

Exploits affect Microsoft Event Log Remoting Protocol functions

In a Varonis Threat Labs blog post, security researcher Dolev Taler wrote that LogCrusher and OverLog use features of the Microsoft Event Log Remoting Protocol (MS-EVEN), which allows remote manipulation of event logs from a Machine. A Windows API function (OpenEventLogW) allows a user to open a handle to a specific event log on a local or remote machine and is useful for services that can use it to read, write, and clear event logs. events for remote machines without the need to manually connect to the machines themselves, the researcher added.

“By default, low-privileged, non-administrative users cannot obtain handles to event logs from other machines. The only exception to this is the legacy Internet Explorer log – which exists in every version of Windows and has its own security descriptor that overrides the default permissions,” the blog post states.

LogCrusher blocks the Event Log application from Windows machines

The LogCrusher exploit is an ElfClearELFW logic bug that allows any domain user to remotely crash the Event Log application of any Windows machine in the domain, Varonis Threat Labs said. “Unfortunately, the ElfClearELFW function has an incorrect input validation bug. It expects the BackupFileName structure to be initialized with a null value, but when the pointer to the structure is NULL, the process crashes,” a writes Dolev. By default, the Event Log service will try to restart itself two more times, but the third time it will be idle for 24 hours. Many security checks rely on the normal operation of the Event Log service, and the impact of the crash means that security controls can go blind, connected security control products can stop working, and attackers can use any type of exploit or attack usually detected with impunity as many alerts do not not trigger, the blog continues.

OverLog can be used to launch remote DoS attacks on Windows machines

The OverLog vulnerability (CVE-2022-37981) can be used to exploit the BackupEventLogW function and launch a remote DoS attack by filling up hard drive space on any Windows machine on the domain, Taler said. “The bug here is even simpler, and although it says in the documentation that the backup user must have the SE_BACKUP_NAME privilege, the code doesn’t validate it – so every user can backup files to a remote machine s ‘he has write access to a folder on this machine,” he wrote. He also provided the following example attack flow:

1. Obtain a descriptor from the Internet Explorer event log on the victim machine
2. Write arbitrary logs to the event log (random strings; various lengths)
3. Save the log to a writable folder on the machine (example: “c:windowstasks”) where every domain user has write permission by default
4. Repeat the backup process until the hard drive is full and the computer stops working
5. The victim machine is unable to write a “page file” (virtual memory), rendering it unusable

Fix reduces risk, teams urged to monitor suspicious activity

Microsoft chose not to fully patch the LogCrusher vulnerability on Windows 10 (newer operating systems are unaffected), according to Taler. “As of Microsoft’s October 11, 2022 patch Tuesday update, the default permissions setting that allowed non-administrative users to access the Internet Explorer event log on remote machines has been limited to administrators premises, which greatly reduces the risk of harm,” he said. added. However, while this fixes this particular set of IE event log exploits, there is still potential for other user-accessible application event logs to be similarly exploited for attacks, a warned Taler. Therefore, the patch applied by Microsoft should be applied to all potentially vulnerable systems and security teams should monitor suspicious activity, he concluded.

Speaking to the CSO, Tope Olufon, Principal Analyst at Forrester, said, “While this vulnerability should be patched, I would not classify the situation as high risk at this time. It requires a user account, and if this has been compromised, you will probably have bigger problems. Also, a patch has already been released (an administrator account is now required for the compromise, same point as above). The recommendations here are to install the patch Microsoft and to monitor unusual write activity on the Crown Jewels Going forward, this is one of many vulnerabilities that will be discovered as Internet Explorer is shut down.