Now, it’s been discovered that the Windows Event Forwarding feature leaves a log file containing debugging information when a system crashes, which could lead to a remote code execution vulnerability.
The vulnerability allows remote attackers to take control of vulnerable systems. The attacker would have to be able to persuade a user to open an email purporting to be from a trusted source. In this scenario, the user would have to click on a link or open an attachment in the email, which could then lead to a remote code execution. This is an example of a “spear phishing” attack.
It was discovered that Windows Event Forwarding logs were written to the system’s Application log. As a result, a remote attacker could use a specially crafted application crash to retrieve the log file, which could then be used in a remote code execution attack.
In the above example, the attacker sent an email to the victim with an attachment named “windowseventforwarderlog.txt”. The email would then need to be opened by the user. In some cases, the attacker may be able to persuade the user to open the email. At any rate, once the user has done so, the attacker could then open the “windowseventforwarderlog.txt” file, which would then lead to a remote code execution. In summary, the Windows Event Forwarding feature leaves a log file in the Application log that contains debugging information when a system
Windows Event Forwarding Log File Contains Debugging Information
The Windows Event Forwarding feature leaves a log file in the Application log when a system crashes. This log file contains debugging information that could be used to take control of vulnerable systems. An attacker would need to convince a user to open an email purporting to be from a trusted source. In this scenario, the user would have to click on a link or open an attachment in the email, which could then lead to remote code execution. This is an example of a “spear phishing” attack.
A vulnerability was discovered that allowed for the retrieval of the log file, which could then be used in remote code execution attacks. In this example, an attacker sent an email with an attachment named “windowseventforwarderlog.txt” and in some cases might also be able to persuade the user to open it. At any rate, once opened, the attacker could then open windowseventforwarderlog.txt and use it in remote code execution attacks.
Windows Event Forwarding Log File Location
The Windows Event Forwarding feature logs information to the Application log. The log file that contains this debugging information is named “windowseventforwarderlog.txt” and can be found in the $WINDOWS.~BT\Windows\System32 directory in %WinDir%\.
In summary, the Windows Event Forwarding feature leaves a log file in the Application log that contains debugging information when a system crashes. This could lead to an attacker taking control of vulnerable systems by persuading users to open malicious attachments in emails
Vulnerability discovered and proof of concept code developed
If you are interested in learning more about this vulnerability, please visit the following link:
https://www.exploit-db.com/exploits/2022/
Windows Event Forwarding Log File
The Windows Event Forwarding feature logs debug information in a file that is left on the system’s Application log. This information can be accessed by an attacker with access to the user’s computer through malicious software.
To do this, the attacker would have to persuade the user to open an email purporting to be from a trusted source. In this scenario, the user would have to click on a link or open an attachment in the email, which could then lead to a remote code execution. This is an example of a “spear phishing” attack.
In summary, Windows Event Forwarding allows for log files containing debugging information to be written to the system’s Application log, where said files are accessible by malicious software.
Timeline
Published on: 03/09/2022 17:15:00 UTC
Last modified on: 05/23/2022 17:29:00 UTC