Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad event log records can cause Winlogbeat crashes in XP / 2003 #6234

Closed
andrewkroh opened this issue Jan 31, 2018 · 0 comments
Closed

Bad event log records can cause Winlogbeat crashes in XP / 2003 #6234

andrewkroh opened this issue Jan 31, 2018 · 0 comments
Assignees
@adriansr
Labels
bug Winlogbeat

Comments

@andrewkroh
Copy link
Member

If an event is published to the Windows event log that contains fewer message parameters than are required by the message template this will cause a crash. FormatMessage does not safely check the number of arguments provided against the number required by the template.

For example:

  1. Application reports event 123 with parameters ["akroh", "192.168.0.1"].
  2. Event 123 is defined as User %1 connected from %2:%3..
  3. Winlogbeat receives the event and attempts to populate the template using the given paremters.
  4. FormatMessage causes a STATUS_ACCESS_VIOLATION exception that crashes Winlogbeat.

For confirmed bugs, please report:

  • Version: all
  • Operating System: Windows XP and Windows 2003 (all architectures)
  • Steps to Reproduce:
    1. An application publishes an event with fewer parameters than are required for the message template.
@adriansr adriansr mentioned this issue Jan 31, 2018
Closed
adriansr added a commit to adriansr/beats that referenced this issue Jan 31, 2018
@adriansr
Winlogbeat: Fix event formatting with missing params
2cd8d8d 
There was a crash in the eventlogging module used in legacy Windows
versions (XP and 2003 server). It is necessary to account for the case
where an event contains fewer parameters than required by its format
string.

Closes elastic#6234
adriansr added a commit to adriansr/beats that referenced this issue Jan 31, 2018
@adriansr
Winlogbeat: Fix event formatting with missing params
32152e8 
There was a crash in the eventlogging module used in legacy Windows
versions (XP and 2003 server). It is necessary to account for the case
where an event contains fewer parameters than required by its format
string.

Closes elastic#6234
@adriansr adriansr mentioned this issue Jan 31, 2018
Merged
andrewkroh pushed a commit that referenced this issue Feb 8, 2018
@adriansr @andrewkroh
Fix event formatting with missing params (#6247)
a0ec41d 
There was a crash in the eventlogging module used in legacy Windows
versions (XP and 2003 server). It is necessary to account for the case
where an event contains fewer parameters than required by its format
string.

Closes #6234
adriansr added a commit to adriansr/beats that referenced this issue Feb 12, 2018
@adriansr
Winlogbeat: Fix event formatting with missing params
b2324b9 
There was a crash in the eventlogging module used in legacy Windows
versions (XP and 2003 server). It is necessary to account for the case
where an event contains fewer parameters than required by its format
string.

Closes elastic#6234
@adriansr adriansr mentioned this issue Feb 12, 2018
Merged
andrewkroh pushed a commit that referenced this issue Feb 13, 2018
@adriansr @andrewkroh
5.6: Fix event formatting with missing params (#6352)
709b21c 
* Winlogbeat: Fix event formatting with missing params

There was a crash in the eventlogging module used in legacy Windows
versions (XP and 2003 server). It is necessary to account for the case
where an event contains fewer parameters than required by its format
string.

Closes #6234
@mariussturm mariussturm mentioned this issue Mar 7, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adriansr adriansr

Labels
bug Winlogbeat
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewkroh @adriansr