[16611] in bugtraq
Announcing WinZapper - erase individual event records in the
daemon@ATHENA.MIT.EDU (Arne Vidstrom)
Wed Sep 6 19:29:12 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <JKEHIOKGPMHGBMCCADAIMEGDCDAA.arne.vidstrom@ntsecurity.nu>
Date: Wed, 6 Sep 2000 19:49:43 +0200
Reply-To: Arne Vidstrom <arne.vidstrom@NTSECURITY.NU>
From: Arne Vidstrom <arne.vidstrom@NTSECURITY.NU>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi all,
This is an announcement of a new tool - WinZapper - for Windows NT 4.0 and
Windows 2000, that can be used to selectively erase event log records in the
security log. As far as we know there exist no other tool that is able to do
this. WinZapper can be downloaded from:
http://ntsecurity.nu/toolbox/winzapper/
Further than only announcing this tool we would like to emphasize a few
important things:
* WinZapper can only be used from an Administrators account, thus this has
_nothing_ to do with any new security vulnerabilities in Windows NT / 2000.
Please refrain from bashing MS about this!
* There seems to be a common misconception out there that there is no way to
erase individual event records in the security log. (The ordinary API to the
event logging system only allows clearing the whole log, and the log files
are locked by the OS.) This is not true, and now we have been able to show
this in practice.
* There seems to be another common misconception out there that there is no
way to write "fake" event records into the security log. This is not true
either - any user with an Administrators account can inject completely made
up event records into the security log. Please remember this before using
the log to point out offenders!
* It would be trivial to extend WinZapper to work remotely like a
client/server system. Thus, this is _not_ limited to attackers having
physical access!
To sum things up: after an attacker has gained Administrators access to your
system, you simply cannot trust your security log! And as always, remember
that attacker having that kind of access can do _anything_ to your system!
Regards, Arne Vidstrom / The ntsecurity.nu team.
http://ntsecurity.nu - providing unique freeware security tools for Windows
NT 4.0 / 2000
P.S. Thanks to Ola Nordstrand (ola.nordstrand@ntsecurity.nu) and Svante
Sennmark for doing some beta testing with WinZapper. Thanks to Roger
Lindgren (roger.lindgren@ntsecurity.nu) for a bunch of programming tips.
D.S.
