lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Dec 2006 16:10:35 +0000 From: "BART. ...." <need4angel@...mail.com> To: 3APA3A@...URITY.NNOV.RU Cc: full-disclosure@...ts.grok.org.uk Subject: FW: [Fwd: Re[2]: Fun with event logs (semi-offtopic)] Dear 3APA3A, Correct me if i am wrong, but it looks like it's documented behavior of the event viewer. This is what i found: Note that there is no way to log a string that contains %n, where n is an integer value. This syntax is used in IPv6 addresses, so it is a problem to log an event message that contains an IPv6 address. For example, if the message text contains %1, the event viewer treats it as an insertion string. If the string contains %%1, the event viewer literally uses %%1. Source: http://msdn2.microsoft.com/en-us/library/aa363679.aspx Greetz, B >-------- Original Message -------- >Subject: Re[2]: [Full-disclosure] Fun with event logs (semi-offtopic) >Date: Thu, 21 Dec 2006 20:13:14 +0300 >From: 3APA3A <3APA3A@...URITY.NNOV.RU> >Reply-To: 3APA3A <3APA3A@...URITY.NNOV.RU> >Organization: http://www.security.nnov.ru >To: Michele Cicciotti <mc@...msa.net> >CC: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com >References: <20061221122536.6AA7A1D8F7C@...ertolla.itapac.net> ><20061221152104.A96731D8F79@...ertolla.itapac.net> > > > >Dear Michele Cicciotti, > >--Thursday, December 21, 2006, 6:20:54 PM, you wrote to >full-disclosure@...ts.grok.org.uk: > >>>There is interesting thing with event logging on Windows. The only >>>security aspect of it is event log record tampering and performance >>>degradation, but it may become sensitive is some 3rd party software is >>>used for automated event log analysis. > >MC> I doubt this. The event logs don't contain the actual formatted >MC> string, because the template string is localized and only retrieved >MC> when the entry is displayed - what is logged is just a message id >MC> and the string inserts (see documentation for EVENTLOGRECORD). >MC> FormatMessage (which is used to build the full message to display to >MC> the user) isn't the culprit, either, because it doesn't operate >MC> recursively (that would have bizarre consequences, since > >As I wrote, my message is semi-offtopic, because it's more fun than >any security vulnerability here. > >Yes, probably this bug only affects event viewer itself. I don't >understand how and why Microsoft achieved this effect in event viewer, >which is, by the way, security tool, and if it's hard for different >vendor to make same mistake. It doesn't look like Easter egg, but if >FormatMessage does not recursion it needs to be specially coded and it >does nothing except this bug. Bug, that needs to be specially coded is >new funny bug category, isn't it? > >-- >~/ZARAZA >http://www.security.nnov.ru/ > > _________________________________________________________________ The MSN Entertainment Guide to Golden Globes is here. Get all the scoop. http://tv.msn.com/tv/globes2007/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists