January 31, 2024 By Zeljka Zorz
A zero-day vulnerability that, when triggered, could crash the Windows Event Log service on all supported (and some legacy) versions of Windows could spell trouble for enterprise defenders.
Discovered by a security researcher named Florian and reported to Microsoft, the vulnerability is yet to be patched. In the meantime, the researcher has gotten the go-ahead from the company to publish a PoC exploit.
The vulnerability and the PoC
Florian found the bug while working on a fuzzer, which he used to analyze the Event Log RPC (Remote Procedure Call) interface for vulnerabilities and to detect a crash in the ElfrRegisterEventSourceW function of the MS-EVEN RPC interface.
“To avoid having to deal with the low level details of the RPC protocol/interface, I looked for a higher level API that would generate the ElfrRegisterEventSourceW RPC call under the hood. This is how I came across the RegisterEventSourceW function, which I then used in my PoC,” he told Help Net Security.