Windows 10 NTFS file system has a vulnerability

According to BleepingComputer reports, researchers recently discovered a serious vulnerability in Windows 10. The vulnerability is mainly located in the NTFS file system and is very easy to trigger.

The attacker only needs to use a few specific strings to induce the user to download, and only need to download, the disk record can be destroyed without the user opening it.

After testing, the vulnerability affects all versions of Windows 10 v1803 and above, but after the researchers submitted the vulnerability to Microsoft, Microsoft has not fixed it yet.

Source: BleepingComputer

The study found that the index system attribute of the Windows NTFS file system contains the $i30 string, which is actually the NTFS attribute associated with the directory.

In some cases, even if the files are deleted, the index system still includes the deleted files or folders until these files or folders are completely deleted.

Therefore, this kind of indexing system is very useful for certain incident response, such as attack tracing or investigation and evidence collection, but why is there this serious problem?

InfoSec researcher Jonas L found that access to this attribute will cause disk damage. After investigation, the researcher believes that it may be related to the Registry key.

When the attribute is loaded, the system will immediately pop up the file or directory is damaged and unreadable prompt, prompting the user to restart the system so that the system can try to repair the disk.

The repair process may last for several hours or even longer. Of course, sometimes the repair cannot be completed, resulting in a cyclic blue screen of death until the user reinstalls the system.

If you are lucky, the system will automatically complete the repair, the Windows Event Manager will see the error record of the Master File Table (MFT) of the master file table of the specific drive.

Please do not try to test the command directly in the system. For example, please use a virtual machine to prevent the system from cycling the blue screen of death after the disk record is damaged.

Tests show that specially crafted destructive strings are very easy to use, and attackers can trigger them through ZIP, HTML, URL, batch, or shortcuts.

For example, if the file containing the character string is placed in a ZIP compressed file, the disk record will be destroyed as long as the user opens the compressed file without decompression.

You can also use a shortcut to include this string. When the user views the shortcut, the resource manager will automatically preload, which can also cause damage.

Moreover, the use of this vulnerability does not require administrator-level permissions. It can be triggered by ordinary user permissions. Tests show that standard and low-privilege accounts can also be used.

Therefore, if an attacker or some prankster exploits this vulnerability, they only need to induce the user to download a specially crafted file to trigger the vulnerability very simply and easily.

According to sources in the security community, the vulnerability has existed for a long time and has been discovered but Microsoft has not yet fixed it. No one knows why Microsoft ignored the vulnerability.

Jonas L also reported the vulnerability to Microsoft in August last year, but it was not fixed. The media re-contacted Microsoft yesterday when Microsoft said that it would release a security update.

However, Microsoft did not specify when the security update will be released, and users are advised not to download any files of unknown origin until the vulnerability is fixed.