Bitdefender’s Marius Tivadar discovered a vulnerability in the way that Windows handles NTFS file system images. When publishing the proof of concept code on GitHub, he explained, “One can generate blue-screen-of-death using a handcrafted NTFS image. This Denial of Service type of attack can be driven from user mode, limited user account or Administrator. It can even crash the system if it is in locked state.”
As you can see in the two videos he posted showing the exploit, after the code is put on a USB drive and inserted into a Windows box, it’s wham bam! Seconds after the USB stick is inserted, it’s BSOD whether the system if locked or not. The PoC is not malware, but a malformed NTFS image.
Tivadar said he reported to issue to Microsoft back in July 2017; the Redmond giant, however, declined to issue a patch because the issue required “either physical access or social engineering.” At the time, the code could trigger BSOD on Windows 7 on up.
In the accompanying documentation, Tivadar said, “Auto-play is activated by default; this leads to automatically crashing the system (when) a USB stick is inserted. Even with auto-play disabled, system will crash when the file is accessed.” He added, “This can be done when Windows Defender scans the USB stick, or any other tool opening it. If none of the above,” then “if the user clicks on the file, (the) system will crash.”
He strongly believed that the auto-play behavior should be changed so it wouldn’t work if the Windows box was locked as the code runs without user consent. “Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine.”
Furthermore, he suggested that an attacker might tweak the PoC and add malware, triggering the crash remotely and opening “thousands of possible scenarios.”
Although Microsoft told Tivadar that it wouldn’t assign a CVE or issue a fix, somewhere along the lines Microsoft did patch the problem. It didn’t, however, notify Tivadar.
The PoC now reportedly works on Windows 7 Enterprise 6.1.7601 SP1, Build 7601 x64, Windows 10 Pro 10.0.15063, Build 15063 x64 and Windows 10 Enterprise Evaluation Insider Preview 10.0.16215, Build 16215 x64. In case you are curious, it does not work on the current Microsoft-recommended Windows 10 build 16299.
The code is out there now, so if you have a vulnerable system, then don’t be surprised if someone who thinks they are being funny tries it out on your machine.