Hello 3APA3A, Sorry for the delay in reporting the status of this case. The test teams have concluded their investigations and we have determined that this would fall into a next version type of fix. This has already been fixed in Vista and since this is more of a tampering scenario rather than a security vulnerability we have decided not to address this issue in a bulletin or service pack. Please let me know if you have any concerns or questions regarding this decision. I will be closing this case out, but if you feel that we have not correctly reached the correct conclusion then I can easily reopen this case. Thank you again for reporting this issue to us.
Thanks, Dave MSRC -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BART. .... Sent: Wednesday, December 27, 2006 8:11 AM To: [EMAIL PROTECTED] Cc: [email protected] Subject: [Full-disclosure] FW: [Fwd: Re[2]: Fun with event logs (semi-offtopic)] Dear 3APA3A, Correct me if i am wrong, but it looks like it's documented behavior of the event viewer. This is what i found: Note that there is no way to log a string that contains %n, where n is an integer value. This syntax is used in IPv6 addresses, so it is a problem to log an event message that contains an IPv6 address. For example, if the message text contains %1, the event viewer treats it as an insertion string. If the string contains %%1, the event viewer literally uses %%1. Source: http://msdn2.microsoft.com/en-us/library/aa363679.aspx Greetz, B >-------- Original Message -------- >Subject: Re[2]: [Full-disclosure] Fun with event logs (semi-offtopic) >Date: Thu, 21 Dec 2006 20:13:14 +0300 >From: 3APA3A <[EMAIL PROTECTED]> >Reply-To: 3APA3A <[EMAIL PROTECTED]> >Organization: http://www.security.nnov.ru >To: Michele Cicciotti <[EMAIL PROTECTED]> >CC: [email protected], [email protected] >References: <[EMAIL PROTECTED]> ><[EMAIL PROTECTED]> > > > >Dear Michele Cicciotti, > >--Thursday, December 21, 2006, 6:20:54 PM, you wrote to >[email protected]: > >>>There is interesting thing with event logging on Windows. The >>>only security aspect of it is event log record tampering and >>>performance degradation, but it may become sensitive is some 3rd >>>party software is used for automated event log analysis. > >MC> I doubt this. The event logs don't contain the actual formatted >MC> string, because the template string is localized and only retrieved >MC> when the entry is displayed - what is logged is just a message id >MC> and the string inserts (see documentation for EVENTLOGRECORD). >MC> FormatMessage (which is used to build the full message to display >MC> to the user) isn't the culprit, either, because it doesn't operate >MC> recursively (that would have bizarre consequences, since > >As I wrote, my message is semi-offtopic, because it's more fun than >any security vulnerability here. > >Yes, probably this bug only affects event viewer itself. I >don't understand how and why Microsoft achieved this effect in event >viewer, which is, by the way, security tool, and if it's hard for >different vendor to make same mistake. It doesn't look like Easter >egg, but if FormatMessage does not recursion it needs to be specially >coded and it does nothing except this bug. Bug, that needs to be >specially coded is new funny bug category, isn't it? > >-- >~/ZARAZA >http://www.security.nnov.ru/ > > _________________________________________________________________ The MSN Entertainment Guide to Golden Globes is here. Get all the scoop. http://tv.msn.com/tv/globes2007/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
