Windows Event Log Bugs let Hackers Perform DOS & Remotely Crash Event Log Apps

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing
An event log can be remotely cleared and backed up with the help of ElfClearELFW, which is an MS-EVEN function. And this function also involves two parameters and here below we have mentioned them:-

  • LogHandle
  • BackupFileName

However, there is a bug in the ElfClearELFW function that causes it to fail to validate input properly. In order to understand the LogCrusher attack flow, it is necessary to take into account these two functions.

It is possible to disrupt and/or reduce the performance of the service, but the attacker cannot completely cause the service to stop working.

By obtaining a handle to the legacy Internet Explorer log, an attacker can use this information to set up a leveraging mechanism to use for their attacks to perform the following illicit activities:-

  • Crash the Event Log
  • Initiate DoS condition

As a result of this flaw, it is possible to cause the log backup function to fail by combining it with another flaw. By using this technique, the threat actor will be able to create a writable folder on the targeted host and repeatedly back up arbitrary logs to it until the drive gets full.

A patch from Microsoft, which is available for potentially vulnerable systems, should be applied to them as soon as possible and any suspicious activity should be monitored carefully.