Windows Event Log Bugs let Hackers Perform DOS & Remotely Crash Event Log Apps

It was revealed recently by security researchers at Varonis Threat Labs, that Microsoft Windows contains two vulnerabilities in Event logs, one of which can be exploited in order to cause a Denial of Service attack.

The pair of vulnerabilities named by the security analysts at Varonis are as follows:- 

Moreover, it appears that these two vulnerabilities were mainly targeted at the MS-EVEN (EventLog Remoting Protocol). By doing this, threat actors will be able to access the event logs from a remote location.

This year on June 15, Microsoft officially announced that they had completely ended the support for IE (Internet Explorer). But, still, there are some security and stability issues associated with IE because it has a deep integration with the Windows ecosystem.

It is suspected that OverLog may cause a DoS attack on the Windows computer by filling all of the available space on its hard drive.

CVE-2022-37981 has been assigned to OverLog, and its CVSS score is 4.3. Microsoft made a resolution to this vulnerability during its October Patch Tuesday update to fix this vulnerability. However, the LogCrusher issue was not yet fixed, so, it remains unpatched.


A Windows API function called OpenEventLogW enables the users to open the handle of an event log on a remote or local machine based on the information provided in the handle.

There are two parameters that are required by the function:-

  • lpUNCServerName
  • lpSourceName

Non-administrative low-privilege users, by default, do not have access to the event logs of other machines since they do not have the necessary privileges. There is one exception to this rule, and that is when it comes to the old “Internet Explorer” log files

IE’s security descriptor overrides the permissions set by default in the browser and maintains its own security profile.

An event log can be remotely cleared and backed up with the help of ElfClearELFW, which is an MS-EVEN function. And this function also involves two parameters and here below we have mentioned them:-

  • LogHandle
  • BackupFileName

However, there is a bug in the ElfClearELFW function that causes it to fail to validate input properly. In order to understand the LogCrusher attack flow, it is necessary to take into account these two functions.

It is possible to disrupt and/or reduce the performance of the service, but the attacker cannot completely cause the service to stop working.

By obtaining a handle to the legacy Internet Explorer log, an attacker can use this information to set up a leveraging mechanism to use for their attacks to perform the following illicit activities:-

  • Crash the Event Log
  • Initiate DoS condition

As a result of this flaw, it is possible to cause the log backup function to fail by combining it with another flaw. By using this technique, the threat actor will be able to create a writable folder on the targeted host and repeatedly back up arbitrary logs to it until the drive gets full.

A patch from Microsoft, which is available for potentially vulnerable systems, should be applied to them as soon as possible and any suspicious activity should be monitored carefully.

Cyber Attack with Zero Trust Networking – Download Free E-Book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.