Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FW: [Fwd: Re[2]: Fun with event logs (semi-offtopic)]

From: Microsoft Security Response Center <secure () microsoft com>
Date: Mon, 19 Feb 2007 13:13:35 -0800
Hello 3APA3A,

Sorry for the delay in reporting the status of this case. The test teams have concluded their investigations and we 
have determined that this would fall into a next version type of fix.  This has already been fixed in Vista and since 
this is more of a tampering scenario rather than a security vulnerability we have decided not to address this issue in 
a bulletin or service pack. Please let me know if you have any concerns or questions regarding this decision. I will be 
closing this case out, but if you feel that we have not correctly reached the correct conclusion then I can easily 
reopen this case. Thank you again for reporting this issue to us.

Thanks,
Dave
MSRC

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
BART. ....
Sent: Wednesday, December 27, 2006 8:11 AM
To: 3APA3A () SECURITY NNOV RU
Cc: full-disclosure () lists grok org uk
Subject: [Full-disclosure] FW: [Fwd: Re[2]: Fun with event logs (semi-offtopic)]

Dear 3APA3A,

Correct me if i am wrong, but it looks like it's documented behavior of the event viewer.
This is what i found:

Note that there is no way to log a string that contains %n, where n is an integer value. This syntax is used in IPv6 
addresses, so it is a problem to log an event message that contains an IPv6 address. For example, if the message text 
contains %1, the event viewer treats it as an insertion string.
If the string contains %%1, the event viewer literally uses %%1.

Source:
http://msdn2.microsoft.com/en-us/library/aa363679.aspx

Greetz,
B


-------- Original Message --------
Subject:       Re[2]: [Full-disclosure] Fun with event logs (semi-offtopic)
Date:  Thu, 21 Dec 2006 20:13:14 +0300
From:  3APA3A <3APA3A () SECURITY NNOV RU>
Reply-To:      3APA3A <3APA3A () SECURITY NNOV RU>
Organization:  http://www.security.nnov.ru
To:    Michele Cicciotti <mc () khamsa net>
CC:    full-disclosure () lists grok org uk, bugtraq () securityfocus com
References:    <20061221122536.6AA7A1D8F7C () supertolla itapac net>
<20061221152104.A96731D8F79 () supertolla itapac net>



Dear Michele Cicciotti,

--Thursday, December 21, 2006, 6:20:54 PM, you wrote to
full-disclosure () lists grok org uk:


There  is  interesting  thing  with  event  logging on Windows. The
only security  aspect  of  it  is  event log record tampering and
performance degradation,  but  it may become sensitive is some 3rd
party software is used for automated event log analysis.


MC> I doubt this. The event logs don't contain the actual formatted
MC> string, because the template string is localized and only retrieved
MC> when the entry is displayed - what is logged is just a message id
MC> and the string inserts (see documentation for EVENTLOGRECORD).
MC> FormatMessage (which is used to build the full message to display
MC> to the user) isn't the culprit, either, because it doesn't operate
MC> recursively (that would have bizarre consequences, since

As  I  wrote,  my message is semi-offtopic, because it's more fun than
any  security  vulnerability  here.

Yes,  probably  this  bug  only  affects  event  viewer  itself. I
don't understand  how  and why Microsoft achieved this effect in event
viewer, which  is,  by  the  way,  security tool, and if it's hard for
different vendor  to  make  same  mistake. It doesn't look like Easter
egg, but if FormatMessage  does  not recursion it needs to be specially
coded and it does  nothing  except this bug. Bug, that needs to be
specially coded is new funny bug category, isn't it?

--
~/ZARAZA
http://www.security.nnov.ru/




_________________________________________________________________
The MSN Entertainment Guide to Golden Globes is here.  Get all the scoop.
http://tv.msn.com/tv/globes2007/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: