The security researcher Jonas L has discovered a vulnerability in the Windows NTFS file system that allows to corrupt a disk with a simple one-line command.
That command can be hidden within a Windows shortcut file, a ZIP file, or various other vectors. In the first case, the bug is so strange that the vulnerability can be exploited even if you never open the file, it is enough for the user to look at the folder where the shortcut is located.
The vulnerability can be activated by any user without elevated privileges in Windows 10
NTFS VULNERABILITY CRITICALITY UNDERESTIMATED
There is a specially nasty vulnerability in NTFS right now.
Triggerable by opening special crafted name in any folder anywhere. ‘
The vulnerability will instant pop up complaining about yuor harddrive is corrupted when path is opened pic.twitter.com/E0YqHQ369N
– Jonas L (@jonasLyk) January 9, 2021
This vulnerability can be activated by any type of user, it is not necessary to have administrator privileges, or special credentials, or write permissions. All you have to do is open a file, inside any folder on the system, that has a name written especially with the mentioned command.
When this happens, Windows will start displaying messages indicating that the data on the disk has been corrupted and will ask for a reboot to repair it. The researcher explained that This flaw appeared with Windows 10 1803, that is, the April 2018 update, and is present even in the most recent version of the system.
The command in question, which we warn should not be tested on an active system, only on virtual machines unless you want your disk to get corrupted and possibly leave you without access to your data, is used to try to access the $ i30 file (the Windows NTFS file system attribute index) in a folder in a certain way.
If, for example, you use the command
cd c::$i30:$bitmap such as the icon location of a shortcut file (.url), this will trigger the vulnerability even if the user does not open the file, just open the folder where the file is, since to show the icon in question Windows Explorer will try to access the file path that has been established as that command.
The researcher is not clear why accessing this attribute corrupts the disk, since the Windows Registry key that would help diagnose the problem is not working. Once the disk becomes corrupted, Windows 10 generates Event Log errors saying that the Master File Table (MFT) contains a corrupted registry.
Jonas also explains that the vulnerability can be run remotely if it is activated by any type of service that allows opening files with specific names. They can be inserted in HTML code, in shared folders, or inside ZIP archives that have many more legitimate files to confuse the user.
Microsoft says it is investigating any reported security issues and will provide updates on compromised computers as soon as possible.
Via | BleepingComputer