COMMAND
EventViewer
SYSTEMS AFFECTED
Win2000
PROBLEM
Following is based on a Microsoft Security Bulletin MS01-013.
The Windows 2000 event viewer snap-in has an unchecked buffer in a
section of the code that displays the detailed view of event
records. If the event viewer attempted to display an event
record that contained specially malformed data in one of the
fields, either of two outcomes would result. In the less serious
case, the event viewer would fail. In the more serious case, code
of the attacker's choice could be made to run via a buffer
overrun.
By design, unprivileged processes can log events in the System and
Application logs, and interactively logged-on, unprivileged users
can view them. However, only privileged processes can log events
in the Security log, and only interactively logged-on
administrators can view them. If the vulnerability were exploited
to run code of the attacker's choice, the code would run in the
security context of the user who viewed the affected record.
Simply perusing the listing of events in a log would not allow
the vulnerability to be exploited. It could only be exploited
if the user opened an affected record to view the event details.
Although the Event Viewer is generally thought of as an
administrative tool, there is no guarantee that the user who opens
a particular event record would be privileged. Unprivileged users
can read the System and Application logs. Although the Security
log can only be read by privileged users, only privileged
processes can write to it.
If firewalling and other appropriate precautions have been taken,
only authenticated users will have access to network machines and
be able to write event log records.
This bug has been found by Blake Watts.
SOLUTION
A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-013.asp
for information on obtaining this patch.