• In a throwback to the =?windows-1252?Q?'90s=2C_NTFS_bug_?=

    From Virus Guy@1:396/4 to All on Thu Sep 20 00:56:50 2018
    From: Virus Guy <Virus@Guy.C0M>

    While unnecessarily full-quoting a previous post, Shadow wrote:

    Or con con


    In a throwback to the '90s, NTFS bug lets anyone hang or crash Windows
    7, 8.1

    It's like the c:\con\con bug all over again.

    Peter Bright - May 25, 2017 9:45 pm UTC

    Those of you with long memories might remember one of the more amusing
    (or perhaps annoying) bugs of the Windows 95 and 98 era: certain
    specially crafted filenames could make the operating system crash.
    Malicious users could use this to attack other people's machines by
    using one of the special filenames as an image source; the browser would
    try to access the bad file, and Windows would promptly fall over.

    It turns out that Windows 7 and 8.1 (and Windows Vista, but that's out
    of support anyway) have a similar kind of bug. They can be taken
    advantage of in the same kind of way: certain bad filenames make the
    system lock up or occasionally crash with a blue screen of death, and malicious webpages can embed those filenames by using them as image
    sources. If you visit such a page (in any browser), your PC will hang
    shortly after and possibly crash outright.

    The Windows 9x-era bug was due to an error in the way that operating
    systems handled special filenames. Windows has a number of filenames
    that are "special" because they don't correspond to any actual file;
    instead, they represent hardware devices. These special filenames can be accessed from any location in the file system, even though they don't
    exist on-disk.

    While any of these special filenames would have worked, the most common
    one used to crash old Windows machines was con, a special filename that represents the physical console: the keyboard (for input) and the screen
    (for output). Windows correctly handled simple attempts to access the
    con device, but a filename included two references to the special
    device—for example, c:\con\con—then Windows would crash. If that file
    was referenced from a webpage, for example, by trying to load an image
    from file:///c:/con/con then the machine would crash whenever the
    malicious page was accessed.

    The new bug, which fortunately doesn't appear to afflict Windows 10,
    uses another special filename. This time around, the special filename of choice is $MFT. $MFT is the name given to one of the special metadata
    files that are used by Windows' NTFS filesystem. The file exists in the
    root directory of each NTFS volume, but the NTFS driver handles it in
    special ways, and it's hidden from view and inaccessible to most
    software. Attempts to open the file are normally blocked, but in a move reminiscent of the Windows 9x flaw, if the filename is used as if it
    were a directory name—for example, trying to open the file
    c:\$MFT\123—then the NTFS driver takes out a lock on the file and never releases it. Every subsequent operation sits around waiting for the lock
    to be released.Forever. This blocks any and all other attempts to access
    the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted.

    As was the case nearly 20 years ago, webpages that use the bad filename
    in, for example, an image source will provoke the bug and make the
    machine stop responding. Depending on what the machine is doing
    concurrently, it will sometimes blue screen. Either way, you're going to
    need to reboot it to recover. Some browsers will block attempts to
    access these local resources, but Internet Explorer, for example, will
    merrily try to access the bad file.

    We couldn't immediately cause the same thing to occur remotely (for
    example, by sending IIS a request for a bad filename), but it wouldn't immediately surprise us if certain configurations or trickery were
    enough to cause the same problem.

    Microsoft has been informed, but at the time of publication has not told
    us when or if the problem will be patched.
    --- NewsGate v1.0 gamma 2
    * Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)