TUCoPS :: Windows :: afulle1.txt

A full event log does not send administrative alerts 


Hello!



I would like to report a vulnerability that was reported by me to MS and 

now have a remedy.

Unfortunately, MS decided that this problem does not deserve its own 

urgent security hot fix and preferred to wait for the latest service packs.



Affected OS: Windows 2000 (server and professional) up to and including 

SP2 and Windows XP Professional (no SP, the initial version only)



Remedy: Applying Windows 2000 SP3 or Windows XP SP1 for each OS



The problem:

If you define that an event log (from any kind, not only security – 

application and system as well) will not overwrite itself but will stop 

logging when it is full (and thus let you save it to the side as a file 

and only then clear it) – and you also set that this PC will send 

administrative alerts (pop-up messages generated using the "Alerter" 

and "Messenger" services on the originating PC when certain system events 

are triggered locally (like a full event log or lack of disk space)  and 

accepted on target PC with an active "Messenger" service) – This alerts 

are never sent when ANY event log type (not only security) is filled up 

and thus not logging any more.



Attached links to articles explaining of how to set up administrative 

alerts in windows 2000 and XP:

Q243625 - How to Configure Administrative Alerts in Windows 2000 

(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q243625 )

Q310490 - HOW TO: Set Up Administrative Alerts in Windows XP 

(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310490 )



Vulnerability effect:

The problem here, mostly with the security event log – is that the log can 

be filled (by normal security logging operation by the OS or by a 

malicious attacker filling the log with bogus events, just to fill up to 

the log to the point it will stop logging) and when the log is full – then 

any malicious or regular security events are not being logged (and no 

administrator is aware of the fact the log should be cleared aside).

This can also be risky for the system event log (I think it is the system 

type) if it can't log the fact that a drive is being almost full – this 

can lead to an OS / Application corrupt up to (or should I say "down to"…) 

a crash.



No exploit programs are required, but I guess any program that can fill up 

the security event log with bogus events can help attackers.



Workaround:

Not any I am aware of.



Remedy:

For Windows 2000 Serve and Professional: Apply SP3 for Windows 2000

For Windows XP Professional: Apply SP1 for Windows XP



The TechNet article regarding this issue can be found in 

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329350



Credit:

Eitan Caspi

Israel

Email: eitancaspi@yahoo.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH