Crash on querying windows_eventlog

[allwalte]

Bug report

Two of the machines I was trying to use the windows_eventlog table on crashed on queries to it (but others were fine!). This was happening even with a very basic query like 'select data FROM windows_eventlog WHERE channel="Security";' This appears to be related to some data in that particular log, as clearing the log allows the query to run. This is consistent with only seeing it on some systems and not others. It's happened on at least two machines, though I only have access to one right now, but it's a mostly fresh VM deploy. I can upload the crash dump (it's a buffer overflow) and the exported event log shortly.

What operating system and version are you using?

The one I have access to at the moment is Windows 10 1803 (17134); another one reported to me was Windows 10 21H2 (19044).

What version of osquery are you using?

I tried this with both 4.8.0 and 5.0.1 and got the same crash.

What steps did you take to reproduce the issue?

Ran a variety of queries with the windows_eventlog table and found that the crash happened with any of them that specifically queried the "Security" log on this machine. The other machine that I was told this happened on was querying Application, which still fits with the idea that it's just some data in a log that's causing this rather than anything specific to any specific log. And to reiterate, clearing the log on the affected system allowed the queries to run as expected.

What did you expect to see?

A successful query returning data

What did you see instead?

An osqueryi crash

[allwalte]

Hmmm - it's not letting me attach the files. Preferred way of getting these to someone? Let me know.

[Smjert]

Hmmm - it's not letting me attach the files. Preferred way of getting these to someone? Let me know.

Hello @allwalte, what type and size is the file?
You might want to check: https://docs.github.com/en/github/writing-on-github/working-with-advanced-formatting/attaching-files

[allwalte]

I was focusing on the crash dump, which is bigger than the limits even zipped. Ended up throwing it on dropbox for now - if you want it via some other method just lmk: https://www.dropbox.com/s/347xywv03h88rfo/osqueryi_crashdump.zip?dl=0

Guess the event log can go here directly though
securitylog.evtx.zip

[nmeocisco]

I did some investigation on this and found the cause. This is the specific XML from the event that is causing the crash:

<?xml version="1.0" encoding="UTF-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" EventSourceName="" />
      <EventID>4739</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>13569</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2021-07-09T17:42:21.9876643Z" />
      <EventRecordID>203</EventRecordID>
      <Correlation ActivityID="{5afc5725-7524-0001-8857-fc5a2475d701}" />
      <Execution ProcessID="624" ThreadID="728" />
      <Channel>Security</Channel>
      <Computer>DESKTOP-HFR8AR9</Computer>
      <Security />
   </System>
   <ProcessingErrorData>
      <ErrorCode>15005</ErrorCode>
      <DataItemName>DomainBehaviorVersion</DataItemName>
      <EventPayload>500061007300730077006F0072006400200050006F006C006900630079000000570049004E002D0049004C004300520034004F0052004700520038004B000000010400000000000515000000565FEFBD61D62A8A3BB41C7D010100000000000512000000570049004E002D0049004C004300520034004F0052004700520038004B002400000057004F0052004B00470052004F00550050000000E7030000000000002D0000002557FC5A247501002557FC5A247501002D0000002D0000002D0000002D0000003000000030000000300000002D0000002D0000002D0000002D000000</EventPayload>
   </ProcessingErrorData>
</Event>

There is an exception being thrown at this point in the code: https://github.com/osquery/osquery/blob/master/osquery/events/windows/windowseventlogparser.cpp#L184-L190

There is a call to property_list.get_child("Event") which is what is actually throwing an exception because the "Event" child does not actually exist. The calls to getDataFromPtree just above would add this if there was either "EventData" or "UserData" in the XML, but since neither exist the property list is empty and throws an exception which is not properly caught and handled and leads to a crash of osquery.

While this could potentially be handled by simply adding a general exception handler to catch std::exception or making sure the property list child exists before attempting to access it, that would simply skip the event log entry when maybe it would need to be included as part of the results. There may be other potential XML elements that need to be parsed as well in order to capture all possible data from Windows Events. This is the full schema as documented by Microsoft:

https://docs.microsoft.com/en-us/windows/win32/wes/eventschema-elements

[tferguson7337]

@nmeocisco @Smjert Any plans on fixing this? This is still an issue as of osquery 5.5.1. I understand that additional work is needed for ensuring all possible event-data is captured, but a quick fix to catch the exception and skip problematic events seems preferable to crashing and losing all queried data imo.