Microsoft Security Bulletin MS01-013 - Critical
Windows 2000 Event Viewer Contains Unchecked Buffer
Published: January 26, 2001 | Updated: June 23, 2003
Originally posted: February 26, 2001
Updated: June 23, 2003
Who should read this bulletin:
Users who use the event viewer in Microsoft® Windows® 2000, especially system administrators.
Impact of vulnerability:
Run code of attacker's choice
System administrators should install patch on all critical servers and consider installing it on all Windows 2000 systems.
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
The Windows 2000 event viewer snap-in has an unchecked buffer in a section of the code that displays the detailed view of event records. If the event viewer attempted to display an event record that contained specially malformed data in one of the fields, either of two outcomes would result. In the less serious case, the event viewer would fail. In the more serious case, code of the attacker's choice could be made to run via a buffer overrun.
By design, unprivileged processes can log events in the System and Application logs, and interactively logged-on, unprivileged users can view them. However, only privileged processes can log events in the Security log, and only interactively logged-on administrators can view them. If the vulnerability were exploited to run code of the attacker's choice, the code would run in the security context of the user who viewed the affected record.
- Simply perusing the listing of events in a log would not allow the vulnerability to be exploited. It could only be exploited if the user opened an affected record to view the event details.
- Although the Event Viewer is generally thought of as an administrative tool, there is no guarantee that the user who opens a particular event record would be privileged. Unprivileged users can read the System and Application logs. Although the Security log can only be read by privileged users, only privileged processes can write to it.
- To the best of our knowledge, it is not possible to manipulate the normal auditing functions of any Windows 2000 service in order to create an event record that would exploit this vulnerability. Instead, a custom piece of code would need to be created and run to create such a record.
- If firewalling and other appropriate precautions have been taken, only authenticated users will have access to network machines and be able to write event log records.
Vulnerability identifier: CAN-2001-0147
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. By entering a specially malformed record into a machine's event log, an attacker could cause either of two effects to occur when the record was subsequently opened. In the least serious case, he could cause the event viewer to fail. In the more serious case, he could cause the event viewer's functionality to be modified while running, in order to perform a task of his choosing on the other user's machine.
The most significant mitigating factor associated with this vulnerability is the need for the attacker to be able to authenticate to the machine he wanted to attack. The net result is that, on a properly configured system, it is unlikely that an outsider such as an Internet user could exploit this vulnerability.
What causes the vulnerability?
The event viewer in Windows 2000 contains an unchecked buffer. If the event viewer were used to view an event log record containing a specially malformed record, the buffer could be overrun, which could in the worst case potentially enable code of another user's choice to be run on the machine.
What's the event viewer?
The event viewer is a tool that's used to view event logs in Windows NT® and Windows 2000. Whenever an event like an application error, system warning, or security-critical operation occurs, the event logging system generates a record in either of three event logs: the Application, System or Security logs, respectively. The event viewer enables authorized users to view the records, as well as enabling them to manage the logs.
What's wrong with the Windows 2000 event viewer?
The event viewer contains an unchecked buffer in a part of the code that processes and displays the properties pages for event records. If it were used to view the properties of an event record that contained a particular type of malformed information, a buffer overrun would result.
As is usually the case with buffer overrun vulnerabilities, either of two outcomes could occur. In the least serious case - in which the buffer was overrun by random data - the event viewer would fail. In the more serious case - in which the attacker filled the affected field in the event record with carefully selected data - the functionality of the event viewer could be modified while it was running, in order to make it take something other than its intended action.
What would the first case enable an attacker to do?
If the event record were filled with random data, the event viewer would fail each time it attempted to read the malformed record. The user could restart it and continue working normally. Although she could not delete the specific record, she could avoid viewing it until such time as she cleared the entire log.
What would the second case enable an attacker to do?
If an attacker were able to insert an event record containing specially chosen data, he could cause the event viewer to take any action he wanted when it processed the record. The only limitation on the actions the code could take would be those associated with the user - if she had few privileges on the machine, the code might be able to do very little. On the other hand, if she was an administrator, the code could do virtually anything on the machine.
Who can view the event logs?
It varies, depending on the particular event log. The Application and System log can be viewed by any user, but only administrators can view the Security log.
What would the user need to do in order to trigger the buffer overrun?
The buffer overrun would only occur if the user viewed the detailed information about the specially malformed event record the attacker had created. When Event Viewer is started, the left pane shows the console tree, and the right pane shows a listing of all events in the log. Simply viewing the information on this screen would not be sufficient to trigger the buffer overrun. The buffer overrun could only be triggered if the user double-clicked on the attacker's event record, or if she right-clicked it and chose "Properties".
How could the attacker create the malformed event record?
By design, unprivileged processes are able to write event records to the Application and System logs using standard Win32 API calls. (They can't, however, write to the Security log). The attacker could write an application that would use these API calls to write a malformed record to an event log.
Could someone create such a record accidentally, though normal use of the system?
No. None of the system services will create a record with the specific malformation at issue here. Simply using the system would not, under any conditions, create such a record.
Could the attacker exploit this vulnerability remotely?
It is possible to write an event record remotely. However, the mechanism by which this could be done is typically blocked by firewalling. Thus, in a properly-secured environment, it's likely that this vulnerability could only be exploited by an intranet user.
Could the attacker insert a malformed record into the event viewer and then deliberately view the record, as a way of elevating his privileges?
No. Although he could insert a record into the log and then view it, the event viewer would run in his own security context, so he wouldn't gain anything by doing this.
Is there any way to view the event log safely?
Of course, the best way to use the event viewer safely is to apply the patch. However, it would also be possible to use the Dumpel tool to dump the event log into an Excel file, and then view it using Excel.
Does this vulnerability affect Windows NT 4.0 systems?
The Windows NT 4.0 event viewer is not affected by this vulnerability. However, there is a scenario through which a Windows NT 4.0 system could be involved in an exploit scenario for this vulnerability.
The event viewer can be used to remotely view the event log on another machine. The important factor is not what system houses the malformed record, but whether an affected event viewer were used to display it. This means that if an attacker inserted a malformed record into the event log on a Windows NT 4.0 system, and a user on a Windows 2000 system remotely viewed it, she could be affected by the vulnerability.
Who should use the patch?
Microsoft recommends that all Windows 2000 users consider installing the patch. However, it's especially important that the patch be installed on critical machines like servers, domain controllers, and the like.
What does the patch do?
The patch eliminates the vulnerability by causing the event viewer to check all input before using it, thereby preventing the buffer from being overrun.
Download locations for this patch
- Microsoft Windows 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server:
- Microsoft Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer.
Additional information about this patch
This patch can be installed on systems running Windows 2000 Service Pack 1 and Service Pack 2.
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 3.
Verifying patch installation:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
- To verify the individual files, use the date/time and version information provided in the following registry key:
Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article Q285156 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (February 26, 2001): Bulletin Created.
- V1.1 (October 04, 2001): Bulletin revised to note that a new version of the patch was released to address a post-SP2 packaging issue, as discussed in Q299549. (Both the old and new versions of the patch protect the machine from the vulnerability in this bulletin.) Registry key data and patch applicability sections have been updated appropriately.
- V1.2 (June 23, 2003): Updated Windows Update download links.
Built at 2014-04-18T13:49:36Z-07:00