EventLog-in Propagating With Weak Credentials Using the Even...

src/network-services-pentesting/135-pentesting-msrpc.md

@@ -224,6 +224,32 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel
 > ⚠️  Many RPC services execute in processes running as **NT AUTHORITY\SYSTEM**.  Any memory-safety issue here usually translates to local privilege escalation or (when exposed over SMB/135) *remote code execution*.
 
 
+
+## MS-EVEN (EventLog) RPC Abuse (CVE-2025-29969)
+
+The EventLog service exposes the MS-EVEN interface over the named pipe `\PIPE\eventlog`. A low-privileged authenticated user can still interact with the interface, but **binding with the wrong authentication level** can cause the security callback to return `ACCESS_DENIED` even when the credentials are valid.
+
+### NTSTATUS-based remote path oracle ("hidden CreateFile")
+
+`ElfrOpenBELW` attempts to open a caller-supplied path and returns distinct NTSTATUS codes, which can be used to **probe remote file or directory existence** under `C$` without listing permissions:
+
+```
+STATUS_OBJECT_NAME_NOT_FOUND (0xc0000034)   -> path does not exist
+STATUS_FILE_IS_A_DIRECTORY (0xc00000ba)     -> path is a directory
+STATUS_EVENTLOG_FILE_CORRUPT (0xc000018e)   -> file exists but is not a valid EVTX
+STATUS_ACCESS_DENIED                         -> EVTX exists but access denied
+```
+
+This lets you confirm installed software or sensitive paths (e.g., under `C:\Program Files`) using only low-privileged credentials.
+
+### Remote file write via MS-EVEN backup
+
+`ElfrBackupELFW` takes a handle to an opened log and a **caller-supplied destination path**. By opening a valid EVTX from an attacker-controlled SMB share, you can obtain a handle and then **copy that file to any path writable by the low-privileged user** on the target. The EventLog service performs the write, so you do not need admin access to `C$`.
+
+### TOCTOU to bypass EVTX validation (CVE-2025-29969)
+
+The EventLog service validates only the EVTX header on the initial read, then **re-reads the full file during backup**. If the source EVTX is hosted on an attacker-controlled SMB share, you can swap the file contents **after the header check** and **before** `ElfrBackupELFW` reads it. This creates a **remote arbitrary file write** primitive (write attacker-controlled bytes to a chosen destination path) that can be turned into execution via writable Startup folders or missing-DLL hijacking. Microsoft patched this TOCTOU behavior in **May 2025**, but the NTSTATUS path oracle remains.
+
 ## References
 
 - [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/)
@@ -233,6 +259,9 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel
 - [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/)
 - [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/)
 - [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer)
+- [SafeBreach Labs – EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969)](https://www.safebreach.com/blog/safebreach_labs_discovers_cve-2025-29969/)
+- [SafeBreach Labs PoC – EventLogin-CVE-2025-29969](https://github.com/SafeBreach-Labs/EventLogin-CVE-2025-29969)
+- [Microsoft MSRC – CVE-2025-29969](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29969)
 
 {{#include ../banners/hacktricks-training.md}}