3APA3A a écrit :
> Dear full-disclosure (at) lists.grok.org (dot) uk [email concealed],
>
> There is interesting thing with event logging on Windows. The only
> security aspect of it is event log record tampering and performance
> degradation, but it may become sensitive is some 3rd party software is
> used for automated event log analysis.
>
> The problem is a kind of "Format string" vulnerability where
> user-supplied input is used for event log record. For ReportEvent()
> function %1, %2, etc have a special meaning and are replaced with
> corresponding string from lpStrings.
It looks more like a variable replacement (like $0 $1 ... in bash shell)
than a format string issue to me.
And it seems indeed to be a relevant information disclosure bug.
3APA3A a écrit :
> Dear full-disclosure (at) lists.grok.org (dot) uk [email concealed],
>
> There is interesting thing with event logging on Windows. The only
> security aspect of it is event log record tampering and performance
> degradation, but it may become sensitive is some 3rd party software is
> used for automated event log analysis.
>
> The problem is a kind of "Format string" vulnerability where
> user-supplied input is used for event log record. For ReportEvent()
> function %1, %2, etc have a special meaning and are replaced with
> corresponding string from lpStrings.
It looks more like a variable replacement (like $0 $1 ... in bash shell)
than a format string issue to me.
And it seems indeed to be a relevant information disclosure bug.
Cheers,
endrazine-
[ reply ]