Full Disclosure mailing list archives
Re: FW: [Fwd: Re[2]: Fun with event logs (semi-offtopic)]
From: Microsoft Security Response Center <secure () microsoft com>
Date: Mon, 19 Feb 2007 13:13:35 -0800
Hello 3APA3A, Sorry for the delay in reporting the status of this case. The test teams have concluded their investigations and we have determined that this would fall into a next version type of fix. This has already been fixed in Vista and since this is more of a tampering scenario rather than a security vulnerability we have decided not to address this issue in a bulletin or service pack. Please let me know if you have any concerns or questions regarding this decision. I will be closing this case out, but if you feel that we have not correctly reached the correct conclusion then I can easily reopen this case. Thank you again for reporting this issue to us. Thanks, Dave MSRC -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of BART. .... Sent: Wednesday, December 27, 2006 8:11 AM To: 3APA3A () SECURITY NNOV RU Cc: full-disclosure () lists grok org uk Subject: [Full-disclosure] FW: [Fwd: Re[2]: Fun with event logs (semi-offtopic)] Dear 3APA3A, Correct me if i am wrong, but it looks like it's documented behavior of the event viewer. This is what i found: Note that there is no way to log a string that contains %n, where n is an integer value. This syntax is used in IPv6 addresses, so it is a problem to log an event message that contains an IPv6 address. For example, if the message text contains %1, the event viewer treats it as an insertion string. If the string contains %%1, the event viewer literally uses %%1. Source: http://msdn2.microsoft.com/en-us/library/aa363679.aspx Greetz, B
-------- Original Message -------- Subject: Re[2]: [Full-disclosure] Fun with event logs (semi-offtopic) Date: Thu, 21 Dec 2006 20:13:14 +0300 From: 3APA3A <3APA3A () SECURITY NNOV RU> Reply-To: 3APA3A <3APA3A () SECURITY NNOV RU> Organization: http://www.security.nnov.ru To: Michele Cicciotti <mc () khamsa net> CC: full-disclosure () lists grok org uk, bugtraq () securityfocus com References: <20061221122536.6AA7A1D8F7C () supertolla itapac net> <20061221152104.A96731D8F79 () supertolla itapac net> Dear Michele Cicciotti, --Thursday, December 21, 2006, 6:20:54 PM, you wrote to full-disclosure () lists grok org uk:There is interesting thing with event logging on Windows. The only security aspect of it is event log record tampering and performance degradation, but it may become sensitive is some 3rd party software is used for automated event log analysis.MC> I doubt this. The event logs don't contain the actual formatted MC> string, because the template string is localized and only retrieved MC> when the entry is displayed - what is logged is just a message id MC> and the string inserts (see documentation for EVENTLOGRECORD). MC> FormatMessage (which is used to build the full message to display MC> to the user) isn't the culprit, either, because it doesn't operate MC> recursively (that would have bizarre consequences, since As I wrote, my message is semi-offtopic, because it's more fun than any security vulnerability here. Yes, probably this bug only affects event viewer itself. I don't understand how and why Microsoft achieved this effect in event viewer, which is, by the way, security tool, and if it's hard for different vendor to make same mistake. It doesn't look like Easter egg, but if FormatMessage does not recursion it needs to be specially coded and it does nothing except this bug. Bug, that needs to be specially coded is new funny bug category, isn't it? -- ~/ZARAZA http://www.security.nnov.ru/
_________________________________________________________________ The MSN Entertainment Guide to Golden Globes is here. Get all the scoop. http://tv.msn.com/tv/globes2007/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: FW: [Fwd: Re[2]: Fun with event logs (semi-offtopic)] Microsoft Security Response Center (Feb 19)