Home page logo

bugtraq logo Bugtraq mailing list archives

A full event log does not send administrative alerts
From: Eitan Caspi <eitancaspi () yahoo com>
Date: 11 Oct 2002 19:34:42 -0000


I would like to report a vulnerability that was reported by me to MS and 
now have a remedy.
Unfortunately, MS decided that this problem does not deserve its own 
urgent security hot fix and preferred to wait for the latest service packs.

Affected OS: Windows 2000 (server and professional) up to and including 
SP2 and Windows XP Professional (no SP, the initial version only)

Remedy: Applying Windows 2000 SP3 or Windows XP SP1 for each OS

The problem:
If you define that an event log (from any kind, not only security – 
application and system as well) will not overwrite itself but will stop 
logging when it is full (and thus let you save it to the side as a file 
and only then clear it) – and you also set that this PC will send 
administrative alerts (pop-up messages generated using the "Alerter" 
and "Messenger" services on the originating PC when certain system events 
are triggered locally (like a full event log or lack of disk space)  and 
accepted on target PC with an active "Messenger" service) – This alerts 
are never sent when ANY event log type (not only security) is filled up 
and thus not logging any more.

Attached links to articles explaining of how to set up administrative 
alerts in windows 2000 and XP:
Q243625 - How to Configure Administrative Alerts in Windows 2000 
(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q243625 )
Q310490 - HOW TO: Set Up Administrative Alerts in Windows XP 
(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310490 )

Vulnerability effect:
The problem here, mostly with the security event log – is that the log can 
be filled (by normal security logging operation by the OS or by a 
malicious attacker filling the log with bogus events, just to fill up to 
the log to the point it will stop logging) and when the log is full – then 
any malicious or regular security events are not being logged (and no 
administrator is aware of the fact the log should be cleared aside).
This can also be risky for the system event log (I think it is the system 
type) if it can't log the fact that a drive is being almost full – this 
can lead to an OS / Application corrupt up to (or should I say "down to"…) 
a crash.

No exploit programs are required, but I guess any program that can fill up 
the security event log with bogus events can help attackers.

Not any I am aware of.

For Windows 2000 Serve and Professional: Apply SP3 for Windows 2000
For Windows XP Professional: Apply SP1 for Windows XP

The TechNet article regarding this issue can be found in 

Eitan Caspi
Email: eitancaspi () yahoo com

  By Date           By Thread  

Current thread:
  • A full event log does not send administrative alerts Eitan Caspi (Oct 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]