A zero-day vulnerability (and PoC) to blind defenses relying on Windows event logs
A zero-day vulnerability that, when triggered, could crash the Windows Event Log service on all supported (and some legacy) versions of Windows could spell trouble for enterprise defenders.
Discovered by a security researcher named Florian and reported to Microsoft, the vulnerability is yet to be patched. In the meantime, the researcher has gotten the go-ahead from the company to publish a PoC exploit.
The vulnerability and the PoC
Florian found the bug while working on a fuzzer, which he used to analyze the Event Log RPC (Remote Procedure Call) interface for vulnerabilities and to detect a crash in the ElfrRegisterEventSourceW function of the MS-EVEN RPC interface.
“To avoid having to deal with the low level details of the RPC protocol/interface, I looked for a higher level API that would generate the ElfrRegisterEventSourceW RPC call under the hood. This is how I came across the RegisterEventSourceW function, which I then used in my PoC,” he told Help Net Security.
Apart from developing a proof of concept, he hasn’t put much more research into the vulnerability, he said. “I have only tested the whole thing a few times in a domain network consisting of a Windows 10 machine and a Windows Server 2022 domain controller. I was able to crash the event log service of the domain controller as an unprivileged user from the Windows 10 machine, and that was about it.”
But he shared vulnerability details with Acros Security CEO Mitja Kolsek and his colleagues, who performed additional testing and confirmed that Florian’s PoC also works on Windows 11.
“[The] PoC is remarkably simple: it makes a single call to RegisterEventSourceW, which retrieves a handle to an event log on the specified computer,” Kolsek explained.
“However, before the request is sent to the target computer, the PoC modifies its in-memory structure to confuse the receiving Event Log service. It manages to confuse it so much to cause a null-pointer dereference and crash the service. The attack only takes a second and works reliably.”
The Windows Event Log service
While testing the PoC, the Acros team found that the Windows Event Log service will restart after two crashes, but not after a third one.
The team found that while the service is down, Security and System events (but not Application events) will be put in an event queue so they can be written in the logs when the service restarts.
But this will only happen if an admin restarts the computer “gracefully”. “If the attacker manages to cause a blue screen on the computer where events are being stored in the event queue, these events will actually be irrecoverably lost,” Kolsek noted.
This “EventLogCrasher” vulnerability might not allow remote code execution or elevation of privilege, but it may provide much-needed stealthiness.
“During the service downtime, any detection mechanisms ingesting Windows logs will be blind, allowing the attacker to take time for further attacks – password brute-forcing, exploiting remote services with unreliable exploits that often crash them, or running every attacker’s favorite whoami – without being noticed,” Kolsek pointed out.
“Knowing that the ‘dark times’ can soon end when some admin decides to restart machines or start the Event Log service, a clever attacker could simply run the PoC in a never-ending loop to make sure that as soon as the Event Log service is back up, it gets crashed again. It would be really difficult for an admin to even know that it was an attacker crashing the service, as we all know computer things often stop working unexpectedly even without malicious assistance.”
Micropatches are available
The vulnerability can easily be exploited locally, but for a remote attacker to be able to leverage the PoC they must be able to connect to the target computer via SMB and be able to authenticate to it.
“Unless you can afford to completely disable SMB – no network shares, no printers, no many other things – we don’t believe you can configure Windows to prevent this attack from an attacker in your network,” Kolsek stated.
“Internet-facing Windows computers are unlikely to have SMB connectivity open to the Internet, and Windows computers in local networks even less so. The attacker must therefore already be in the local network.”
The vulnerability would be useful for an attacker who has gained access to, for example, a workstation in a Windows network as a regular low privileged user, he told Help Net Security.
“If the company is using intrusion detection based on Windows event logs, an attacker making multiple attempts to login as another domain user might trigger alerts. Disabling the Event Log service would prevent such real-time detection.”
Until Microsoft ships a patch, users looking to plug this security hole can implement a micropatch provided by Acros via its 0patch agent. Micropatches have been provided for various releases of Windows 11, 10 and 7, and Windows Server 2022, 2019, 2016, 2021, and 2008.