In a throwback, NTFS bug lets anyone hang or crash Windows

Post Reply
User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

In a throwback, NTFS bug lets anyone hang or crash Windows

Post by Pigeon » Thu May 25, 2017 10:53 pm

In a throwback to the ’90s, NTFS bug lets anyone hang or crash Windows 7, 8.1

Those of you with long memories might remember one of the more amusing (or perhaps annoying) bugs of the Windows 95 and 98 era. Certain specially crafted filenames could make the operating system crash. Malicious users could use this to attack other people's machines by using one of the special filenames as an image source; the browser would try to access the bad file, and Windows would promptly fall over.

It turns out that Windows 7 and 8.1 (and Windows Vista, but that's out of support anyway) have a similar kind of bug. They can be taken advantage of in the same kind of way: certain bad filenames make the system lock up or occasionally crash with a blue screen of death, and malicious webpages can embed those filenames by using them as image sources. If you visit such a page (in any browser), your PC will hang shortly after and possibly crash outright.

The Windows 9x-era bug was due to an error in the way that operating systems handled special filenames. Windows has a number of filenames that are "special" because they don't correspond to any actual file; instead, they represent hardware devices. These special filenames can be accessed from any location in the file system, even though they don't exist on-disk.

While any of these special filenames would have worked, the most common one used to crash old Windows machines was con, a special filename that represents the physical console: the keyboard (for input) and the screen (for output). Windows correctly handled simple attempts to access the con device, but a filename included two references to the special device—for example, c:\con\con—then Windows would crash. If that file was referenced from a webpage, for example, by trying to load an image from file:///c:/con/con then the machine would crash whenever the malicious page was accessed.

The new bug, which fortunately doesn't appear to afflict Windows 10, uses another special filename. This time around, the special filename of choice is $MFT. $MFT is the name given to one of the special metadata files that are used by Windows' NTFS filesystem. The file exists in the root directory of each NTFS volume, but the NTFS driver handles it in special ways, and it's hidden from view and inaccessible to most software. Attempts to open the file are normally blocked, but in a move reminiscent of the Windows 9x flaw, if the filename is used as if it were a directory name—for example, trying to open the file c:\$MFT\123—then the NTFS driver gets stuck in an infinite loop. This infinite loop blocks any and all other attempts to access the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted.

https://arstechnica.com/information-tec ... ows-7-8-1/


User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: In a throwback, NTFS bug lets anyone hang or crash Windo

Post by Royal » Fri May 26, 2017 2:28 am

Holy hell, can have world wide outages in a blink of an eye.

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: In a throwback, NTFS bug lets anyone hang or crash Windo

Post by Royal » Fri May 26, 2017 2:50 am

Nothing like this exist for airplnes right?

Post Reply