Miracles, voiced LogCrusher and OverLog of Varonis, aim for EventLog Remote Protocol (MS-EVEN), which allows remote access to event logs.
While it previously allowed “any domain user to remotely crash the Event Log application of any Windows machine,” OverLog causes DoS by “filling up any machine’s hard drive space.” Which Windows on the domain,” Dolev Taler said in a report shared with The Hacker News.
OverLog has been assigned the CVE identifier CVE-2022-37981 (CVSS score: 4.3) and has been resolved by Microsoft as part of a Windows Update. Tuesday patch October. LogCrusher, however, remains unresolved.
“Performance may be disrupted and/or reduced, but an attacker cannot completely deny service,” the tech giant said in an advisory for the vulnerability published earlier this month.
According to Varonis, the problems involve an attacker being able to obtain a handle on old Internet Explorer logs, setting the stage for attacks that use that handle to corrupt the Event Log on the machine. victims and even cause DoS status.
This is achieved by combining it with another flaw in the log backup function (BackupEventLogW) to continuously backup arbitrary logs to a writable directory on the targeted server until when the hard drive is full.
Since then, Microsoft has fixed the OverLog vulnerability by restricting access to the Internet Explorer Event Log to local administrators, thereby reducing the potential for abuse.
“While this addresses the specific set of Internet Explorer Event Log exploits, it is still possible for other user applications that have access to the Event Logs,” Taler said. similarly used for attacks,” said Taler.