mailing list archives
Re: [Full-disclosure] Fun with event logs (semi-offtopic)
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 21 Dec 2006 20:13:14 +0300
Dear Michele Cicciotti,
--Thursday, December 21, 2006, 6:20:54 PM, you wrote to full-disclosure () lists grok org uk:
There is interesting thing with event logging on Windows. The only
security aspect of it is event log record tampering and performance
degradation, but it may become sensitive is some 3rd party software is
used for automated event log analysis.
MC> I doubt this. The event logs don't contain the actual formatted
MC> string, because the template string is localized and only retrieved
MC> when the entry is displayed - what is logged is just a message id
MC> and the string inserts (see documentation for EVENTLOGRECORD).
MC> FormatMessage (which is used to build the full message to display to
MC> the user) isn't the culprit, either, because it doesn't operate
MC> recursively (that would have bizarre consequences, since
As I wrote, my message is semi-offtopic, because it's more fun than
any security vulnerability here.
Yes, probably this bug only affects event viewer itself. I don't
understand how and why Microsoft achieved this effect in event viewer,
which is, by the way, security tool, and if it's hard for different
vendor to make same mistake. It doesn't look like Easter egg, but if
FormatMessage does not recursion it needs to be specially coded and it
does nothing except this bug. Bug, that needs to be specially coded is
new funny bug category, isn't it?