[German]There is a bug in Windows 10 that can trigger a Blue Screen of Dead (BSOD) after entering certain path entries (e.g. in the browser). Security researcher Jonas Lykkegaard also reported this bug publicly in October 2020.
Advertising
Security researcher Jonas Lykkegaard has this week flushed two Windows 10 bugs he has been 'working on Microsoft' with for months to Bleeping Computer to get more publicity. I addressed the first bug last week in the blog post Windows 10: Vulnerability allows to destroy Public since October 2020, no responseNTFS media content. Now comes the second bug, that has nothing to do with the NTFS vulnerability above.
Public since October 2020, no response
Jonas Lykkegaard has sent the information to Bleeping Computer last week, as the tweets he has posted regarding this bug since October 2020 have gone unanswered. Jonas L. points out in subsequent tweet that Bleeping Computer then picked up the topic Sunday evening.
Unusual path specification leads to BlueScreen
Brief background: developers can pass a path in the Win32 device namespace as an argument to various Windows API calls to interact directly with Windows devices. This allows e.g. direct access to a physical hard disk, bypassing the file system API functions. Jonas L. then came across the following path:
\\.\globalroot\device\condrv\kernelconnect
Advertising
The path points to the device name of the "console multiplexer driver". Jonas L. believes that the path is used for kernel / user mode interprocess communication (IPC). But that is of marginal interest here as academic information at best. The point is that you can trigger a BlueScreen under Windows 10 with this path specification.
I booted my test machine with Windows 10 20H2 (the 'best' that is currently available from Microsoft in terms of Windows 10). Then I launched the Google Chrome browser and typed the above path in the URL field of the browser. As soon as I hit Enter to execute the path, Windows 10 crashes with a veritable BlueScreen.
Windows 10 BSOD
There are numerous ways to provoke this crash, because the URL can be entered in Explorer, in a command prompt (e.g. when logging in) and so on. Exploiting this bug does not depend on a user's privileges, it works even with a standard user. I ran the test via RDP session from Windows 7 out of laziness, the test machine with Windows 10 20H2 was lying on its back with a BlueScreen afterwards.
Bleeping Computer must have run a series of tests over the last few days and writes that they found the bug from Windows 10 version 1709 up to the current 20H2 – they didn't have older builds available. The bug affects not only Windows 10 clients, of course, but also servers built on top of those builds. Is of course a nice way to continuously force machines remotely into a BlueScreen loop via such commands. Jonas L. sent Bleeping Computer a Windows URL shortcut file (.url) pointing to \\.\globalroot\device\condrv\kernelconnect. When such a file is downloaded, Windows 10 tries to access the URL path and ends up in a BlueScreen.
Bleeping Computer writes that they have since found numerous other ways to exploit this bug. Among them are methods to trigger BSODs automatically at Windows login. In a real-world scenario, this flaw could be abused by threat actors who have access to a network and want to cover their tracks during an attack.
My Tests, and reader feedback
I run a successful test on Windows 10 20H2 with Google Chrome and Chromium Edge as browsers. On a not fully patched Windows 10 V1709 I wasn't able to provoke a BSOD in Legacy Edge and IE 11 nor in Windows Explorer. Another German reader pointed out, that he can use the command:
copy \\.\globalroot\device\condrv\kernelconnect dummy.txt
within am command prompt window to crash Windows 10 20H2 with a blue screen. Some blog readers confirmed the bug is reproducible in Windows Server 2019 and Windows 10 V1507 LTSC. Another blog reader confirmed, he was able to crash Windows 10 20H2 using Windows Explorer an pasting the above UNC path to the address bar.
I wasn't able to reproduce the BSOD in Windows 10 SP1 with ESU license – I got the error message, that the path isn't correct. German blog reader also confirmed, they could not reproduce the BSOD on Windows 8.1 and Windows Server 2012.
