NTFS filesystem bug could crash Windows 7, 8, and 8.1

Any gerbils out there using Windows 7, 8, or 8.1 may want to take note, particularly if they use Internet Explorer on those systems. A security vulnerability has come to light (Google Translation), affecting those operating systems. A malicious local application or even a website (with IE in the mix) can potentially crash a machine simply by sending a carefully-crafted request to access a local file.

The exploit results from a bug in the way Windows handles protected filenames. In this specific case, the offending file is $MFT, which is reserved for a bit of NTFS metadata. There's a hidden $MFT file in the root of every NTFS volume, and normally Windows won't let you access it. A clever trickster figured out that if you use $MFT as if it were a directory—say, by trying to access "C:\$MFT\foo"—the NTFS volume driver will hang. That may not immediately crash the whole system, but it will necessitate a restart eventually.

Most browsers will block any attempt to access local content, but at least on Internet Explorer, the exploit can apparently be triggered simply by using a faulty path as a source for page content like an image. That means that an attacker could craft a page that will cause the machine to lock up and need a reboot. Obviously, local malware can also make use of the exploit, although at that point you arguably have bigger problems.

Microsoft hasn't yet acknowledged the problem nor promised a fix. The exploit doesn't affect Windows 10, so it's possible that the company might not be rushing to offer a patch. And, as we mentioned before, most browsers should simply ignore the remote page's request to use a local data source anyway.

Comments closed
    • kuttan
    • 2 years ago

    People need to use Windows 7 + IE for this possibility of attack to work in reality very few people actually use such a combo now. Those people still using Windows 7 most likely using a browser anything other than an IE.

      • Laykun
      • 2 years ago

      Windows 7, according to web stats, still has a higher market share than Windows 10. It’s not too far to assume that these laggards, in the vein of laggards, would also still use internet explorer, which is the third most popular internet browser. Sure, it’s not 50% of all internet capable desktops, but it’s probably something more like 10%, and that’s still a lot of people.

    • Wirko
    • 2 years ago

    Interestingly, I can still browse \\notebook\Users from another PC after notebook has frozen, and the disk activity light flashes when opening subfolders, so it’s probably not just cached data. I can view file and folder properties and transfer some files, but not all. Windows 7, 32-bit.

    • tipoo
    • 2 years ago

    I’m kind of hoping APFS is the cattle prod to Microsoft to move beyond NTFS altogether. ReFS doesn’t sound like it’s going to be a replacement for consumers. These past few weeks have highlighted even more than usual the issues with carrying forward 20 years of BC.

      • LostCat
      • 2 years ago

      Would love to see it, but don’t expect to before whatever comes after Windows 10.

    • ozzuneoj
    • 2 years ago

    So, would it be as simple as hiding C:\$MFT\*** in URL tags on message boards and making people’s systems crash?

    How has no one else noticed this in the 8 years that Windows 7 had been out?

      • rudimentary_lathe
      • 2 years ago

      Thanks for hacking my system, brah.

    • anotherengineer
    • 2 years ago

    Is XP and 2k immune??

      • dyrdak
      • 2 years ago

      Likely not but neither is Windows 10 (tested on 32bit version, not exactly kept up to date, credit to MS’ behavior). I’ve only done minimal fuzzing to find/reproduce the bug – the system will lock up and only power cycling works. One of lockups ended with REFERENCE_BY_POINTER bluescreen.
      Just run (no elevated cmd prompt needed, standard user account)

      dir \\localhost\c$\$MFT\

      I used the \\localhost\c$ trick that lets one get to previous versions that MS deemed unnecessary on post Windows 7 systems as a starting point. I bet this can be “improved”.

      64bit W10 will also lock – it just takes longer to enter the loop (maybe because the system was faster/had more resources).

      All in all this is some base for DOS attack. Using it against a remote terminal server could be “fun”. I don’t have my own system to test the scenario or desire to mess with someone’s else stuff.
      I’d be curious of results of running this test (or derivative) in a docker (like) container on Windows Server.

        • djand77
        • 2 years ago

        dave@dave-lm ~ $ dir \\localhost\c$\$MFT\
        >
        dir: cannot access ‘\localhostc$$MFT’: No such file or directory
        dave@dave-lm ~ $

        Whats the big deal? 🙂

          • Ninjitsu
          • 2 years ago

          so you mean they fixed a vulnerability in Win 10 but left the older ones out on purpose?

            • dyrdak
            • 2 years ago

            Well, I guess it’s a trade off between security and privacy. Since MS is not willing to provide us with both I’ve picked what’s my priority (your choice may be different). Not using MS browser, having disabled most nonessential services and some common sense probably helps me survive with no harm. Also, with my limited broadband speeds I’d have no patience for all W10 boxes to constantly update its crud. It’s not the bones of the system that I have issues with, it’s the Windows As (dis)Service and forced feedback/telemetry that I couldn’t care less for.
            BTW, this bug is not acknowledged by MS for W10 platform (and exploiting it would require some local help) so getting it patched (even on up to date system) is not likely.

          • dyrdak
          • 2 years ago

          for whatever the reason behavior differs on 64bit system.
          try dir \\localhost\c$\$MFT\123

            • GTVic
            • 2 years ago

            That specific one crashed my 64-bit Win7 system.

        • Leader952
        • 2 years ago

        [quote<]neither is Windows 10 (tested on 32bit version, [b<][u<]not exactly kept up to date[/b<][/u<][/quote<] Not keeping windows up to date with security fixes and expecting security problems to not happen seems counter intuitive.

          • dyrdak
          • 2 years ago

          For all that it’s worth, my corporate up to date W10 system went down as well.
          File system bug is unlikely not to be shared across the whole platform. Even if MS claimed otherwise.

        • Wirko
        • 2 years ago

        XP (32-bit) is old and solid and doesn’t get confused so easily.

          • EndlessWaves
          • 2 years ago

          Yeah, it’s [b<]definite[/b<] about when it's completely screwed.

    • chuckula
    • 2 years ago

    What’s the big deal?

    I just typed that in and everything’s fi

      • Shobai
      • 2 years ago

      “But if he’s typed that much and the computer locked up, how did he then hit ‘submit’? And if he had time to hit ‘submit’, why not just finish the word/thought?”

        • chuckula
        • 2 years ago

        [url=https://youtu.be/GEcvSq4SDkc?t=1m18s<]He must have died while carving it![/url<] Oh come on! Well that's what it says. Look, if he was dying he wouldn't have bothered to carve aggghhhhh. He'd just say it! Well that's what's carved in the rock! Perhaps he was dictating? Oh shut up.

      • Srsly_Bro
      • 2 years ago

      -fake news

    • albundy
    • 2 years ago

    hysterical that people use IE.

      • dyrdak
      • 2 years ago

      Using Edge is even more hysterical – it’s like giving up all your privacy with no resistance.

        • brucethemoose
        • 2 years ago

        Compared to what? Chrome? Safari?

        Firefox is indeed better about that, but it seems to fall behind the others every day.

          • BobbinThreadbare
          • 2 years ago

          With multiprocess Firefox is great again

          • adisor19
          • 2 years ago

          Safari and Firefox are the only serious candidates left.

          Adi

            • Wonders
            • 2 years ago

            I consider [url=https://www.brave.com/<]Brave[/url<] a serious potential candidate. Too early to really tell though.

        • Anton Kochubey
        • 2 years ago

        Nah, giving it up with no resistance is downloading Chrome.

    • meerkt
    • 2 years ago

    [quote<]$MFT, which is reserved for a bit of NTFS metadata[/quote<] Yeah, a bit. 🙂

      • Waco
      • 2 years ago

      Well it’s not quite *all* of it.

    • CuttinHobo
    • 2 years ago

    I pity da foo who tries to access C:\$MFT\foo

      • anotherengineer
      • 2 years ago

      Quit yo Jibber-jabber!

        • CuttinHobo
        • 2 years ago

        Nevermind make fun of another person’s hair! Hair is the artwork they present to the heavens! [url<]https://m.youtube.com/watch?v=1g-s-pghtYQ[/url<]

        • derFunkenstein
        • 2 years ago

        I ain’t gettin on no plane, Murdock

          • CuttinHobo
          • 2 years ago

          Years later, Samuel Jackson discovered that BA Baracus had a great reason for avoiding planes. Now we all know there are MF snakes on those MF planes!

      • Neutronbeam
      • 2 years ago

      So you’re a Foo Fighter?

        • CuttinHobo
        • 2 years ago

        Chimps are notorious poo fighters.

Pin It on Pinterest

Share This