Denial of Service Using Malformed NTFS Files

May 14, 2018 | Views: 1190

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

A Romanian cyber security expert released a proof-of-concept- code that exposes the vulnerabilities in Windows7 / Windows 10, which can easily cause the blue screen of death, even when the system is locked. This rogue code helps user or hacker deliver a denial of service type attack that can crash the windows machine within minutes, even when the system is in a locked state. Cyber security experts worry that the attacker may modify the code and might even add malware to inflict maximum harm. Marius Tivader of Bitdefender, recently published this code on Github, explaining how a user, administrator, or limited user can generate a blue screen of death with the help of a handcrafted NT File System (NTFS) image.

The code is more a malformed image than a malware, explains malware researchers. When a USB drive, with such a malformed NTFS image, is connected to the windows computer, it crashes within a matter of seconds explains Marius Tivader. When the USB is inserted, the autoplay feature is enabled and it triggers an attack. It happens as the code exploits the Microsoft’s vulnerabilities in handling the new file system.

Cyber security experts warn even if autoplay is not enabled, the PC would crash upon accessing the malformed image file.  For example, when windows defender scans the system, some other tool or the user himself opens this file, the attack may take place. 

Marius detailed the effects, and the behavior of the bug in a report, and demonstrated the same in a video. Cyber security experts point out the root cause of the problem as the enabling of autoplay by default in all versions of Microsoft Windows. One possible solution could be to disable autoplay, however, manually accessing, and opening the file would still lead to a denial of service attack, which causes the blue screen of death or forces windows to crash.

Malware experts suggest one possible solution is to make changes to the behavior of the windows feature that is responsible for the attack, autoplay. They suggest that the autoplay feature should not work when the user locks the system, as no feature should work without user content, unlike it happens in case of the NTFS malformed image.

The fix should make sure that when an external peripheral is inserted into a locked system no driver should load, no code should run, which guarantees no undesirable action takes place.

Marius Tivader, discovered the issue first in the year 2007 when it triggered BDOS on Windows 7 and above operating systems. Accordingly, he has reported the issue to Microsoft expecting the software giant to act and work on issuing a patch to fixing the issue. However, the Redmond based software giant did not pay the attention the issue needed and declined to issue a patch on the grounds that the issue requires physical access or at least social engineering. However, Microsoft did seems to have resolved the issue now, and it no longer works on the latest Windows 10 build 16299 and Microsoft recommended systems.

However, there may be some windows systems that are still vulnerable to this rogue code in its present form including

Windows 10 Enterprise Evaluation Insider Preview 10.0.16215, Build 16215 x64

Windows 7 Enterprise edition 6.1.7601 SP1 Build 7601*64

Windows 10 Pro 10.0 15063, Build 15063*64.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel