Dumb bug on NTFS.sys triggers a BSOD when Windows attempts to mount a malformed disk image
The security researcher Marius Tivadar has discovered a vulnerability on Windows NTFS filesystem and published a proof-of-concept code on GitHub that could be used to cause Blue Screen of Death within seconds on most Windows computers.
One can generate blue-screen-of-death using a handcrafted NTFS image. This Denial of Service type of attack, can be driven from user mode, limited user account or Administrator. It can even crash the system if it is in locked state.
The PoC is a malformed NTFS image, with some altered data in root directory name, and in INDEX_ALLOCATION in three places:
- In the PoC image, I took file record 5 (root), modified it’s name: ’.’ to ’4’, offset 0x3564da in file.
- Then, in INDEX_ALLOCATION of root, we take an arbitrary entry and overwrite it’s file name with the same name as modified root, in our case ’4’, offset 0x02c542 in file.
- Also, in the same INDEX_ALLOCATION entries, we take the entry that contains the root directory ’.’ , we modify it’s name with ’4’, offset 0x02c4ea in file.
The malformed image can be stored on a USB disk: once the user will insert the USB stick in a Windows PC it will crash the system within a few seconds causing a Blue Screen of Death.
Tivadar highlighted that auto-play is usually activated by default:
Auto-play is activated by default, this leads to automatically crashing the system when usb stick is inserted.
Even disabling it the system will crash when the NTFS image is accessed, for eg when an antivirus scans the USB stick:
Even with auto-play disabled, system will crash when the file is accessed. This can be done for eg. when Windows Defender scans the usb stick, or any other tool opening it.
Obviously, if the user clicks on the file, system will crash.
The vulnerability has been currently tested on 3 windows systems:
- Windows 7 Enterprise 6.1.7601 SP1, Build 7601 x64
- Windows 10 Pro 10.0.15063, Build 15063 x64
- Windows 10 Enterprise Evaluation Insider Preview 10.0.16215, Build 16215 x64
The video PoC
Tivadar published two PoC videos, one with an unlocked pc
and one with a locked windows 10 pc:
Marius Tivadar has performed a PoC on a laptop, with a ‘desktop’ Windows version and a phisical access to the system.
However, it points out that:
it is not necessary to have an usb stick. A malware for example could drop a tiny ntfs image and mount it somehow, thus triggering the crash.
So, if this vulnerability affects also some ‘server’ Windows versions, it is possibile to foresee a DOS scenario, i.e. eith an attacker that copy the malformed image on a fileserver, or uploads it on a IIS webserver.
More information and further readings
For more information about the vulnerability and a post-mortem analysis, please refer to the Tivadar’s paper: https://github.com/mtivadar/windows10_ntfs_crash_dos/blob/master/doc/ntfs_crash.pdf
Finally, the PoC image is downloadable from this link: https://github.com/mtivadar/windows10_ntfs_crash_dos/raw/master/ntfsimg/tinyntfs