EventLogin - CVE-2025-29969

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/SafeBreach-Labs/EventLogin-CVE-2025-29969
• Blog Title: EventLogin - CVE-2025-29969
• Suggested Section: Network Services Pentesting -> 135, 593 - Pentesting MSRPC (or a new MS-EVEN/Eventlog service page) and cross-link from Windows Local Privilege Escalation / Lateral Movement primitives (Remote Arbitrary File Write -> Persistence)

🎯 Content Summary

What this repo is
This GitHub repository (SafeBreach-Labs/EventLogin-CVE-2025-29969) is a small exploitation toolkit / PoC wrapper for CVE-2025-29969 (nicknamed “EventLog-in”). It documents and automates abusing a TOCTOU (Time-of-Check Time-of-Use) flaw in Microsoft Windows’ MS-EVEN (Eventlog) protocol that lets an authenticated low-privileged user cause a target Windows host to perform an arbitrary remote file write (i.e., write attacker-chos...

🔧 Technical Details

TOCTOU in MS-EVEN (Eventlog) enabling low-privileged remote arbitrary file write (CVE-2025-29969)
If a Windows service/protocol exposes file-related operations and contains a TOCTOU race between validation (“check”) and the actual file operation (“use”), an authenticated low-privileged user may be able to redirect the operation to an attacker-chosen destination and obtain an arbitrary file write on the remote host. This primitive is highly chainable: writing to auto-executed paths (e.g., C:\Users&lt;user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</code>) can provide persistence and potential code execution on next logon, while other targets (service config files, task files, DLL search paths) may lead to stronger execution depending on environment and permissions.

SMB-staged “server-side copy/write” pattern for remote writes
A common operational pattern for service-side file write/ingest bugs is to host ...

🤖 Agent Actions

Summary:
Updated src/network-services-pentesting/135-pentesting-msrpc.md with a new MS-EVEN section covering the CVE-2025-29969 TOCTOU remote file-write primitive, SMB staging workflow, and the CreateFile-style recon primitive, plus added SafeBreach repo/blog references.

Tests:
Not run (documentation-only change).

Files changed:

• src/network-services-pentesting/135-pentesting-msrpc.md

Next steps:

1. Review the new MS-EVEN section for phrasing/placement preferences.
2. If you want a separate MS-EVEN page, tell me and I’ll propose a minimal refactor while keeping content in a single file as required.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/SafeBreach-Labs/EventLogin-CVE-2025-29969

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 135, 593 - Pentesting MSRPC (or a new MS-EVEN/Eventlog service page) and cross-link from Windows Local Privilege Escalation / Lateral Movement primitives (Remote Arbitrary File Write -> Persistence)".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0