Researchers Detail Windows Event Log Vulnerabilities: LogCrusher and OverLog

Cyber Security

Cybersecurity researchers have disclosed details about a pair of vulnerabilities in Microsoft Windows, one of which could be exploited to result in a denial-of-service (DoS).

The exploits, dubbed LogCrusher and OverLog by Varonis, take aim at the EventLog Remoting Protocol (MS-EVEN), which enables remote access to event logs.

While the former allows “any domain user to remotely crash the Event Log application of any Windows machine,” OverLog causes a DoS by “filling the hard drive space of any Windows machine on the domain,” Dolev Taler said in a report shared with The Hacker News.

OverLog has been assigned the CVE identifier CVE-2022-37981 (CVSS score: 4.3) and was addressed by Microsoft as part of its October Patch Tuesday updates. LogCrusher, however, remains unresolved.

“The performance can be interrupted and/or reduced, but the attacker cannot fully deny service,” the tech giant said in an advisory for the flaw released earlier this month.

The issues, according to Varonis, bank on the fact that an attacker can obtain a handle to the legacy Internet Explorer log, effectively setting the stage for attacks that leverage the handle to crash the Event Log on the victim machine and even induce a DoS condition.

This is achieved by combining it with another flaw in a log backup function (BackupEventLogW) to repeatedly backup arbitrary logs to a writable folder on the targeted host until the hard drive gets filled.

Microsoft has since remediated the OverLog flaw by restricting access to the Internet Explorer Event Log to local administrators, thereby reducing the potential for misuse.

“While this addresses this particular set of Internet Explorer Event Log exploits, there remains potential for other user-accessible application Event Logs to be similarly leveraged for attacks,” Taler said.