From ab54e3f8d04c221c5a697e24ed86e8b5373062db Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Mon, 16 Mar 2026 13:13:13 +0000 Subject: [PATCH] Add content from: EventLog-in: Propagating With Weak Credentials Using the Eve... --- .../135-pentesting-msrpc.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/src/network-services-pentesting/135-pentesting-msrpc.md b/src/network-services-pentesting/135-pentesting-msrpc.md index e754f591f4a..36d33b79939 100644 --- a/src/network-services-pentesting/135-pentesting-msrpc.md +++ b/src/network-services-pentesting/135-pentesting-msrpc.md @@ -224,6 +224,32 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel > ⚠️ Many RPC services execute in processes running as **NT AUTHORITY\SYSTEM**. Any memory-safety issue here usually translates to local privilege escalation or (when exposed over SMB/135) *remote code execution*. + +## MS-EVEN (EventLog) RPC Abuse (CVE-2025-29969) + +The EventLog service exposes the MS-EVEN interface over the named pipe `\PIPE\eventlog`. A low-privileged authenticated user can still interact with the interface, but **binding with the wrong authentication level** can cause the security callback to return `ACCESS_DENIED` even when the credentials are valid. + +### NTSTATUS-based remote path oracle ("hidden CreateFile") + +`ElfrOpenBELW` attempts to open a caller-supplied path and returns distinct NTSTATUS codes, which can be used to **probe remote file or directory existence** under `C$` without listing permissions: + +``` +STATUS_OBJECT_NAME_NOT_FOUND (0xc0000034) -> path does not exist +STATUS_FILE_IS_A_DIRECTORY (0xc00000ba) -> path is a directory +STATUS_EVENTLOG_FILE_CORRUPT (0xc000018e) -> file exists but is not a valid EVTX +STATUS_ACCESS_DENIED -> EVTX exists but access denied +``` + +This lets you confirm installed software or sensitive paths (e.g., under `C:\Program Files`) using only low-privileged credentials. + +### Remote file write via MS-EVEN backup + +`ElfrBackupELFW` takes a handle to an opened log and a **caller-supplied destination path**. By opening a valid EVTX from an attacker-controlled SMB share, you can obtain a handle and then **copy that file to any path writable by the low-privileged user** on the target. The EventLog service performs the write, so you do not need admin access to `C$`. + +### TOCTOU to bypass EVTX validation (CVE-2025-29969) + +The EventLog service validates only the EVTX header on the initial read, then **re-reads the full file during backup**. If the source EVTX is hosted on an attacker-controlled SMB share, you can swap the file contents **after the header check** and **before** `ElfrBackupELFW` reads it. This creates a **remote arbitrary file write** primitive (write attacker-controlled bytes to a chosen destination path) that can be turned into execution via writable Startup folders or missing-DLL hijacking. Microsoft patched this TOCTOU behavior in **May 2025**, but the NTSTATUS path oracle remains. + ## References - [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/) @@ -233,6 +259,9 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel - [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/) - [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/) - [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer) +- [SafeBreach Labs – EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969)](https://www.safebreach.com/blog/safebreach_labs_discovers_cve-2025-29969/) +- [SafeBreach Labs PoC – EventLogin-CVE-2025-29969](https://github.com/SafeBreach-Labs/EventLogin-CVE-2025-29969) +- [Microsoft MSRC – CVE-2025-29969](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29969) {{#include ../banners/hacktricks-training.md}}