[German]There is a previously unpatched vulnerability in the implementation of the NTFS file system used by Windows 10. Via this vulnerability, it is possible for attackers to destroy the contents of an NTFS volume used under Windows 10. It is enough to place an appropriately crafted file on an NTFS volume to trigger the flaw. A security researcher has now pointed this out for the umpteenth time.
I’ve pulled out the latest disclosure by @jonasLyk from January 9, 2021 on Twitter once – see the following tweet. Accessing a crafted folder is enough to exploit the vulnerability. The whole thing can be triggered remotely (e.g., downloading a crafted shortcut file or ZIP archive).
onas L. had already publicly disclosed this NTFS vulnerability in August 2020 as well as in October 2020, without anything happening. So he reached out to Bleeping Computer, who tested it and then disclosed it in this article.
A short command is sufficien
For an attacker exploiting this vulnerability, a one-line command is enough to corrupt an NTFS-formatted hard drive. This can be done by placing a crafted file (even remotely) in a folder on the affected drive. Once this file is read, Windows prompts the user to restart the computer to repair the corrupted disk entries.
Bleeping Computer shows a command here as an example of such a trigger, but warns against testing that on a system. This is because the NTFS drive may be unreadable and lost afterwards. After running the command in the Windows 10 command prompt, the error: “The file or directory is corrupted and unreadable.” is immediately displayed. For testing, one should use a virtual machine.
The command shown accesses the $130 attribute of an NTFS volume. This $I30 attribute is used by the NTFS file system to maintain an index of all files/subdirectories that belong to a directory.
Currently, it is unclear why accessing this attribute corrupts the drive. Speaking to Bleeping Computer, Jonas L. said: ‘I have no idea why accessing the attribute corrupts NTFS volumes. It would be a lot of work to figure that out because the reg key that should trigger a BSOD when corrupted doesn’t work. So I’ll leave that to the people who have the source code.’
It is enough to put a prepared file (e.g. .lnk file) on an NTFS drive (the data does not need to be opened) to trigger the error. Also conceivable would be prepared ZIP archives that trigger the error when unpacked. After the drives have been corrupted, Windows 10 generates errors in the event log stating that the Master File Table (MFT) for the respective drive contains a corrupted record.
Bug present from Windows 10 version 1803
As Jonas L. stated to Bleeping Computer, he was able to exploit the bug in Windows 10 version 1803. The bug is said to remain exploitable up to the current version 20H2. Bleeping Computer writes in the article that sources from security research circles say that serious vulnerabilities like this have been known for years. The bugs were reported to Microsoft earlier, but were not fixed.
Bleeping Computer checked with Microsoft to find out if they already knew about the bug and if they would fix it. The response, “Microsoft has made a commitment to its customers to investigate reported security issues and we will provide updates to affected devices as soon as possible.”
Addendum: There is an inoffizial fix, see Windows 10 NTFS bug gets unofficial fix from OSR
Cookies helps to fund this blog: Cookie settings