Unicode Reflection - Event Null Byte Injection

shutterstock_479414851.jpg

HAWK experts look at “Log Jam”, the latest Unicode data reflection exploit. How they detected it’s presence and how HAWK.io MDR can complement existing EDR deployments by providing missing telemetry data critical to efficient and effective SOAR efforts.

Internally known as "Log Jam", this Unicode data reflection in Windows Events allows for potential halting of log/event analysis and 3rd party processing and forwarding when utilizing the XML export feature.  Deemed a potential detection evasion technique.

Tested systems:

  • Windows 10 Version 2004 x64 (OS Build 19041.572) en-us

  • Windows 10 Version 20H2 x64 (OS Build 19042.630) en-us

  • Microsoft Windows Server 2019 Datacenter x64 (6.3 build 17763)

A potential detection evasion technique has been found that impacts the data returned from EvtRender and EvtFormatMessage using the XML format option (EvtRenderEventXml ) in Windows .

When calling EvtRender/EvtFormatMessage using the EvtRenderEventXml format flag, data is returned and the total size of the buffer is returned;  however, when using wcslen, rather than relying on the total size returned, it does not return the correct size of the buffer.  In the following example, the value returned from wcslen(pRenderedContent) does not equal dwBufferUsed.

EvtRender(NULL, hEvent, EvtRenderEventXml, dwBufferSize, pRenderedContent, &dwBufferUsed, &dwPropertyCount)

Per online example here, the code found in the function "DWORD PrintEvent(EVT_HANDLE hEvent)" is impacted as well at line 35, demonstrated by an incomplete xml document. Additionally, the same thing is impacted here.

If an attacker is able to control any property that is written to the event log, whether locally or remotely, can potentially hide additional data for investigation. Windows Event Viewer is also impacted when viewing the XML tab. Furthermore, it can potentially halt the log forwarding of 3rd party products such as Snare, OSSEC, and potentially many others; however, further testing has not been performed.   This issue was initially found within our own MDR production deployment affecting the Event/Log forwarding tool for Windows (HAWK vTTACᵀᴹ), and was then further researched.

The following characters are able to simply re-create the issue; however, many more exist:

Proof of concept can be achieved by running one of the following commands:

calc.exe \x02\x10

calc.exe \x02\x11

calc.exe \x02\xff

// will hide "find me"

calc.exe \x20\x0B\x01\xff\x20\x0B\x01\xfff\x01\xffi\x01\xffn\x01\xffd \x01\xffm\x01\xff2e\x01\xff

2021-08-09_13-45-12.png

Once the proof of concept has executed, it can be verified by opening up eventvwr.msc and selecting the Security option beneath "Windows Logs" and finding the event that coincides with the Process Creation for calc.exe.

2021-08-09_14-13-41.png

Clicking Details tab and selecting XML view to show the formatting and content failure.

2021-08-09_14-23-14.png
 

The HAWK vTTACᵀᴹ agent detects these types of malicious data injection attacks, and alert on them.  To guarantee the original content is preserved for analysis, we sanitize the data and replace it with its hex representation.

HAWK vTTACᵀᴹ complements existing ERD solutions by focusing on closing the gap of missing telemetry, providing an end to end MDR log, all in one security and investigation tool. Coupled with SOAR and real-time DFIR investigation, vTTACᵀᴹ will reduce not only investigation times, but accelerate SOAR response.  

Learn more at HAWK.io

 
Jason Wheeler, VP Customer Services

Jason Wheeler, VP Customer Services

Jason Wheeler joined HAWK in 2014 and has been appointed Vice President of Security Services. In this role, Mr. Wheeler will oversee all areas of Customer Services and lead the organization dedicated to providing excellent customer satisfaction.

Mr. Wheeler is well known in the Information Security field as an expert in hardware, web applications, and mobile applications exploit research. This research has been featured on Forbes, TechCrunch, and Popular Mechanics. Jason frequently speaks at security events, and is involved with several open source projects.

Jason’s broad experience in IT infrastructure and passion for information security, especially offensive security and threat modeling will continue to influence HAWK’s innovation in both product and services to ensure overall customer success.

Previous
Previous

Detecting Windows PrinterNightmare Bug Exploit Code

Next
Next

Solving Rogue Device Detection and User Permission Investigation with Real-Time Data Enrichment and Analysis