In a throwback to the '90s, NTFS bug lets anyone hang or crash Windows
It's like the c:\con\con bug all over again.
Peter Bright - May 25, 2017 9:45 pm UTC
Those of you with long memories might remember one of the more amusing
(or perhaps annoying) bugs of the Windows 95 and 98 era: certain
specially crafted filenames could make the operating system crash.
Malicious users could use this to attack other people's machines by
using one of the special filenames as an image source; the browser would
try to access the bad file, and Windows would promptly fall over.
It turns out that Windows 7 and 8.1 (and Windows Vista, but that's out
of support anyway) have a similar kind of bug. They can be taken
advantage of in the same kind of way: certain bad filenames make the
system lock up or occasionally crash with a blue screen of death, and malicious webpages can embed those filenames by using them as image
sources. If you visit such a page (in any browser), your PC will hang
shortly after and possibly crash outright.
The Windows 9x-era bug was due to an error in the way that operating
systems handled special filenames. Windows has a number of filenames
that are "special" because they don't correspond to any actual file;
instead, they represent hardware devices. These special filenames can be accessed from any location in the file system, even though they don't
While any of these special filenames would have worked, the most common
one used to crash old Windows machines was con, a special filename that represents the physical console: the keyboard (for input) and the screen
(for output). Windows correctly handled simple attempts to access the
con device, but a filename included two references to the special
device—for example, c:\con\con—then Windows would crash. If that file
was referenced from a webpage, for example, by trying to load an image
from file:///c:/con/con then the machine would crash whenever the
malicious page was accessed.
The new bug, which fortunately doesn't appear to afflict Windows 10,
uses another special filename. This time around, the special filename of choice is $MFT. $MFT is the name given to one of the special metadata
files that are used by Windows' NTFS filesystem. The file exists in the
root directory of each NTFS volume, but the NTFS driver handles it in
special ways, and it's hidden from view and inaccessible to most
software. Attempts to open the file are normally blocked, but in a move reminiscent of the Windows 9x flaw, if the filename is used as if it
were a directory name—for example, trying to open the file
c:\$MFT\123—then the NTFS driver takes out a lock on the file and never releases it. Every subsequent operation sits around waiting for the lock
to be released.Forever. This blocks any and all other attempts to access
the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted.
As was the case nearly 20 years ago, webpages that use the bad filename
in, for example, an image source will provoke the bug and make the
machine stop responding. Depending on what the machine is doing
concurrently, it will sometimes blue screen. Either way, you're going to
need to reboot it to recover. Some browsers will block attempts to
access these local resources, but Internet Explorer, for example, will
merrily try to access the bad file.
We couldn't immediately cause the same thing to occur remotely (for
example, by sending IIS a request for a bad filename), but it wouldn't immediately surprise us if certain configurations or trickery were
enough to cause the same problem.
Microsoft has been informed, but at the time of publication has not told
us when or if the problem will be patched.
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)