Thursday, December 12, 2024
Latest:
NETWORK ADMINISTRATIONSWindows server

The "EventLogCrasher" 0day For Remotely Disabling Windows Event Log, And a Free Micropatch For It

Alice AUSTIN

The following video shows both the POC and our patch in action. On the left side is the target computer, a fully updated Windows Server 2019 acting as domain controller. The firewall rules are in their default configuration, with all three Remote Event Log Management rules disabled, to show that the firewall does not stop the attack. The Event Log service is running and 0patch Agent is initially disabled.

On the right side is the attacker’s Windows workstation, whereby the attacker is a regular Domain Users member. The attacker launches the POC against the domain controller and immediately crashes the Event Log service.

The same test is then repeated with 0patch Agent enabled, which applies our in-memory micropatch to the Event Log service process (of course without restarting the computer). This time, the POC fails to crash the service because our patch detects the presence of a null pointer and makes sure it does not cause a memory access violation.

More information at https://blog.0patch.com/2024/01/the-eventlogcrasher-0day-for-remotely.html

source

windows server

Alice AUSTIN

Alice AUSTIN is studying Cisco Systems Engineering. He has passion with both hardware and software and writes articles and reviews for many IT websites.

You May Also Like

NDSS 2021 PhantomCache: Obfuscating Cache Conflicts with Localized Randomization

Creating FTP Server In Linux Using VSFTPD Ubuntu Server Part 1

Some Cisco training Router Onstick NAT ACL DHCP Per vlan In Real network