Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Windows Bug IT Technology

In a Throwback To the '90s, NTFS Bug Lets Anyone Hang Or Crash Windows 7, 8.1 (arstechnica.com) 128

Windows 7 and 8.1 (and also Windows Vista) have a bug that is reminiscent of Windows 98 age, when a certain specially crafted filename could make the operating system crash (think of file:///c:/con/con). From an ArsTechnica report: The new bug, which fortunately doesn't appear to afflict Windows 10, uses another special filename. This time around, the special filename of choice is $MFT. $MFT is the name given to one of the special metadata files that are used by Windows' NTFS filesystem. The file exists in the root directory of each NTFS volume, but the NTFS driver handles it in special ways, and it's hidden from view and inaccessible to most software. Attempts to open the file are normally blocked, but in a move reminiscent of the Windows 9x flaw, if the filename is used as if it were a directory name -- for example, trying to open the file c:\$MFT\123 -- then the NTFS driver takes out a lock on the file and never releases it. Every subsequent operation sits around waiting for the lock to be released. Forever. This blocks any and all other attempts to access the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted.
This discussion has been archived. No new comments can be posted.

In a Throwback To the '90s, NTFS Bug Lets Anyone Hang Or Crash Windows 7, 8.1

Comments Filter:
  • Nonsense! (Score:5, Funny)

    by Anonymous Coward on Friday May 26, 2017 @12:04PM (#54491697)

    I just opened c:\$MFT\123 on my system and nothing bad happ

  • Ah! (Score:5, Funny)

    by DontBeAMoran ( 4843879 ) on Friday May 26, 2017 @12:06PM (#54491715)

    NTFS Bug Lets Anyone Hang Or Crash Windows 7, 8.1

    As I use Windows 10 I doBUY XBOX ONE! ON SALE TODAY ONLY!n't have such problems.

    • I'm also safe. I don't have Windows 7 or 8.1. I have the original Windows 8, which isn't listed as vulnerable. Yeah for Windows 8!

      • by Anonymous Coward

        Did you upgrade from Windows ME to Windows 8?

  • Just think of all the fun someone could have on a thousand+ user application server -_____- Hopefully Microsoft will actually patch this, instead of continuing the trend of shitting on Win7/8 users in an effort to encourage them to move to 10.
    • by yuhong ( 1378501 )

      If you are able to compile programs with Visual C++, there are a lot of bugs that you can BSoD a terminal server with that will never get fixed.

  • My favorite WinXP crash bug was the crash that happen every 45 days of continuous uptime.
    • by Anonymous Coward

      My favorite WinXP crash bug was the crash that happen every 45 days of continuous uptime.

      How did you ever manage to keep the machine up for that long?

    • You completely screwed up that joke.
      It wasn't Windows XP, but rather Windows 95 that would crash after 49.7 days of continuous usage.
      • You completely screwed up that joke.

        I wasn't joking. I had a scheduled task that would reboot my PCs every 45 days because of this crash bug. At my current job today we reboot workstations after 30+ days of uptime just to make sure that they patch properly each month.

        It wasn't Windows XP, but rather Windows 95 that would crash after 49.7 days of continuous usage.

        I stand corrected.

        • Re: (Score:2, Insightful)

          by epine ( 68316 )

          I stand corrected.

          Good on you, but you do know that that is just the first step in the 5 Whys [wikipedia.org] of mea culpa?

          The 32-bit uptime bug in Windows 95 was the poster child of a toy operating system.

          NTFS (and the giant NT/2000/XP fork in the road) was the poster child for Microsoft escaping their toy reputation.

          The entire joke here is that the more things change, the more they remain the same.

          Now this new $MFT fiasco is just a stupid edge case in something that actually works well enough, most of the time.

          The joke u

        • by Gr8Apes ( 679165 )

          I wasn't joking. I had a scheduled task that would reboot my PCs every 45 days because of this crash bug. At my current job today we reboot workstations after 30+ days of uptime just to make sure that they patch properly each month.

          It wasn't Windows XP, but rather Windows 95 that would crash after 49.7 days of continuous usage.

          I stand corrected.

          Actually, he's wrong, the bug was in NT4 also. There was also a paging counter bug that was a mismatch of a 26 bit number into a 32 bit number that caused all sorts of issues when the 26 bit number rolled over. (might have been 24bit, it's long ago and google wasn't around to index everything back then....)

          • by sr180 ( 700526 )

            We used to reboot all of our NT4 Sp 6a servers when the idle counter reached 500 hours. Not long after that, they always started behaving weirdly..

        • by dbIII ( 701233 )
          Back in the day MS didn't really care so much about memory leaks so long usage was an issue on NT, Win2k and even as late as XP.
          Rebooting every few weeks was a very common workaround.
      • by squiggleslash ( 241428 ) on Friday May 26, 2017 @02:15PM (#54492665) Homepage Journal

        I thought it's Windows 10 that crashes after 49.7 days of continuous usage? Except they replaced the blue screen of death with one that says "Please do not turn off your computer. Installing update 3/49"

        • by sims 2 ( 994794 )

          Funny i've seen the update counter beak on several occasions so it will actually say something like installing update 49 of 3.

          I currently have a windows 10 machine that's been stuck at 91% installing the 1607 anniversary update since this time yesterday.

          It's bound to finish eventually right?

      • by Reziac ( 43301 ) *

        And it was actually a bug in the hardware's timer chip, that happened to dovetail with Win95/98. Not all hardware had the bug, and those without did not experience the 49 day rollover. (My everyday W9* boxen apparently lacked the bug, as both would run for several months at a crack, and I never applied the patch.)

    • That was windows 95.
    • Microsoft IIS (can't remember whether it was 3 or 4) had a similar bug where after ~49 days it would stop logging web site activity to the W3C format log files. Doesn't look like MSDN still has a KB article for it otherwise I would have linked it.
  • True enterprise level bugs

  • I just get "The directory name is invalid."
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Try browsing to file:///c:\$MFT\123 in IE and see what happens...

      • Re: (Score:3, Interesting)

        by Anonymous Coward

        Yup, this works. Just coming back after a hard reboot :o

    • Try echo a > c:\$mft\derp I may be wrong, but something like type c:\$mft\derp does not seem to do anything.
    • by Wulf2k ( 4703573 )

      Sure. Me too.

      Then try do something else. Like open iexplore.exe and browse to a webpage.

  • by beheaderaswp ( 549877 ) * on Friday May 26, 2017 @12:31PM (#54491915)

    Saw the article and spun up a test VM with Win 7.

    Exploit/bug/crash/vulnerability works as advertised. Scary. An easy way to bring down an entire operating system with a bat file and a little startup/service knowledge.

    • I tried it in the server contemporaries to 7 and 8.1. (2008R2 and 2012R2)

      Nearly immediate BSOD in both cases.

  • by mysidia ( 191772 ) on Friday May 26, 2017 @12:42PM (#54492021)

    I tested this... who wouldn't .
    It seems to be harmless when not logged in as an Administrator.

    The second I run copy C:\$MFT\123 C:\Users\blah
    as Administrator however, filesystem access freezes.

    So yeah..... don't run programs as Admin that use random user-specified filenames and you should be fine?

    • It seems to be harmless when not logged in as an Administrator.

      I tried it as a standard user on two Windows installs, one 64-bit Windows 7 Pro on real hardware, and the other Windows 7 Home 32-bit on a VM. Both gave me a BSOD immediately.

    • Seemed to work for me without elevation on Windows 7, using a user in the sole group "Users"
    • On Server 2012 R2 I found as a standard user - if I tried to save a file to c:\$mft - I got an access denied error, then the machine bsod'd.

      So yeah you could "exploit" this from user space, but I guess the worse it will do is restart the machine/vm.

  • Do any real unix filesystems have magic filenames? I know unlinked files will be dumped in lost+found by convention, but it's just a directory. HFS+ didn't grow up on unix, so all of its magic files don't really count (NeXT used UFS, right?)

    All I can think of is mount/.zfs on ZFS, but it's built to handle traversal - any others? Any kernel code that relies on structures that can be impacted from userspace is a potential problem, so if there are some we should watch out for them and double-check that code.

    • by Shimbo ( 100005 )

      /, when it isn't a path separator, and \0 would be my first two corner cases to check.

    • by Megol ( 3135005 )

      One could argue that Unix uses "magic" filenames everywhere - devices are mapped to filenames and most modern systems map almost everything internal as files. Windows NT doesn't map devices to files by default but a few are mapped into the Win32 subsystem to keep backwards compatibility, those things aren't files per se but emulated so that they can be treated as files - hence the "magic" nature of them.

      The MFT file isn't "magic" BTW, this is a locking problem at worst or not a problem at all if one likes t

      • Unix doesn't use magic fileNAMES. It uses magic files. Naming them is quite arbitrary and there are very few surprises that can result from that. (naming a file "*" is rally asking for trouble...) Now for assumptions programs make about what file contains what, and OS behavior as it accesses these special files... c'mon, rename sda1 to null...

    • > Do any real unix filesystems ...

      What is your criteria to evaluate a "pseudo" unix from a "real" unix??

      > ... unix filesystems have magic filenames?

      Uh, what do you think

      .
      ..
      /dev

      are?

      Reference:

      What are reserved filenames for various platforms?" [stackoverflow.com]

      • by nawcom ( 941663 )
        Those aren't "magic filenames" - they're just device nodes that populate at boot time and unlike reserved strings like the ones in Windows, their paths have value. And that link you gave makes no reference to them. the only "filenames" that you cannot use in unix OSes are . and ..
      • by tepples ( 727027 )

        What is your criteria to evaluate a "pseudo" unix from a "real" unix??

        A real UNIX system is one whose publisher has taken a trademark license from The Open Group.

    • There are various magic file names (think things in /dev or /var) but reading/writing to them (if you are permitted) is by design how you interact with them.

      To my knowledge there is no module that is permitted to hang up the kernel (BSOD) simply by reading it, at worst you get the serial port to poop out some bad characters.

    • by Megane ( 129182 )
      Unix-like operating systems use file attributes to indicate special stuff like devices and pipes. Do a "ls -l /dev" and you will see what I mean. They also usually have access permissions set up to prevent access by anyone but a root process.
  • No timeout, full stop.

  • Pfft. I don't need an NTFS bug for that, it happens on its own.
  • by grumpy-cowboy ( 4342983 ) on Friday May 26, 2017 @01:37PM (#54492425)

    $ c:\$MFT\123
    c:$MFT123: command not found

    $

  • Works on NT 3.51 too (Score:4, Interesting)

    by Scoth ( 879800 ) on Friday May 26, 2017 @01:47PM (#54492491)

    Just for funsies I loaded up my Windows NT 3.51 VM I have around for no good reason and tried it, and it immediately hard-locked. Must be a very old bug.

    • by MobyDisk ( 75490 )

      Just for funsies I loaded up my Windows NT 3.51 VM I have around for no good reason and it immediately hard-locked.

      FTFY

  • by Anonymous Coward

    So for some reason no one mentioned that this bug also affects Server 2008 and 2008 R2. Even though most IT people would know that those are more or less identical OSs to Windows 7 and 8 respectively, it still should be listed.

  • This just gives me a warm fuzzy blast from the past. And present. An maybe future of my Windows install. But I don't really worry, I only use my Windows box for runny Adobe stuff.

  • by Wargames ( 91725 )

    Dropped to cmdline in Win7 and did dir $MFT, stuff that runs from cache still worked but anything requiring disk locked up hard. Had to reboot. Sad. Thanks Obama!

Lo! Men have become the tool of their tools. -- Henry David Thoreau

Working...