• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft Windows 2000 Event Viewer Buffer Overflow Vulnerability

Severity: MODERATE

Description:

Windows 2000 Event Log service records three important system logfiles: the Security Log, the Application log and the System log.

Event Viewer is a 2000 troubleshooting tool, used to view events recorded in the three logs recorded by the Event Log service.

A section of Event Viewer's code contains a vulnerability to buffer overflows caused by invalid data contained in any of the three system logs.

A malicious user could construct a malicious entry in a system log. Upon opening the corrupted log and viewing the details of the event, the invalid data in the file can create a buffer overflow condition. This will normally result in the termination of the Event Viewer, permitting a denial of service attack to be carried out on the Event Viewer tool. If the attacker has constructed a payload containing arbitrary code, this can cause it to be executed with the privilege level of the user running Event Viewer.

Note that processes run by unprivileged users may write entries in the Application and System logs, and these entries may subsequently be read via Event Viewer by users without high privilege. The Security log is readable and writeable only by administrators. Therefore, exploitation of this vulnerability is less likely via the Security log than through the Application and System logs.

Affected Products:

• Avaya DefinityOne Media Servers
• Avaya IP600 Media Servers
• Avaya S3400 Message Application Server
• Avaya S8100 Media Servers
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server

References:

• Microsoft: Windows 2000 Event Viewer Contains Unchecked Buffer

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.