Code Published for Triggering a BSOD on Windows Computers -- Even If They're Locked

"A Romanian hardware expert has published proof-of-concept code on GitHub that will crash most Windows computers within seconds, even if the computer is in a locked state," writes BleepingComputer. An anonymous reader quotes their report: The code exploits a vulnerability in Microsoft's handling of NTFS filesystem images and was discovered by Marius Tivadar, a security researcher with Bitdefender. The expert's proof-of-concept code contains a malformed NTFS image that users can take and place on a USB thumb drive. Inserting this USB thumb drive in a Windows computer crashes the system within seconds, resulting in a Blue Screen of Death (BSOD). "Auto-play is activated by default," Tivadar wrote in a PDF document detailing the bug and its impact...

Tivadar contacted Microsoft about the issue in July 2017, but published the PoC code today after the OS maker declined to classify the issue as a security bug. Microsoft downgraded the bug's severity because exploiting it requires either physical access or social engineering (tricking the user).

Topsy turvy

[arth1]

Wake me up when someone publishes something that's guaranteed not to crash Windows...

Re:

[greenwow]

Some of the Windows programmers I work with certainly know how to do this.

Re:

[Sanat]

Times apparently have changed... Not too long ago this post would have been marked "funny"...

Re:

[Cederic]

It made me smile too.

Kids these days, etc..

USB

[amiga3D]

USB is problematic anyway. Where I worked if you inserted a flash drive into a computer it would lock you out and send an alert to security. Good way to get fired.

Re:

[TeknoHog]

Gee, if only there were some way to connect storage devices to a computer, which didn't offer the ability to infect and destroy the system.

USB wasn't intended for storage devices to begin with. It was meant for relatively simple/stupid peripherals like keyboards, mice and sound cards. If it only had stayed that way instead of trying to emulate real interfaces like Firewire, things would be perfectly safe. Sure, you could whip up a stick that acts as a keyboard, perhaps with its own remote control. But in that perfect world with no USB storage sticks, who would try and use it? Naah, real men would plug in keyboards they find lying on the parkin

Re:

[GerryGilmore]

Sorry, but you are wrong. The original USB spec (https://en.wikipedia.org/wiki/USB) had 2 data rates, one low-speed for keyboards, etc. and a second, higher data-rate spec specifically for disk drives.
To me, the whole auto-play thing is bizarre and ridiculous from any basic security standpoint. In high-security situations, they (USB drives) can/arguably-should be blocked whether physically or at the OS level.

Re:

[tlhIngan]

To me, the whole auto-play thing is bizarre and ridiculous from any basic security standpoint.

This is not an auto-play bug. Auto play is disabled by default nowadays.

The problem happens before auto-play - basically you present a filesystem so corrupted that the filesystem driver aborts, which causes the kernel to stop. Windows happens to try to mount every partition it can automatically, so if you present a filesystem so corrupt it aborts the filesystem driver, it can kill the kernel.

Of course, Linux is som

Re:

[Rockoon]

USB wasn't intended for storage devices to begin with.

Even if this were true (it isn't) you are grossly naive.

It was meant for relatively simple/stupid peripherals like keyboards, mice and sound cards.

The USB mass storage class (USB MSC) is close to the safest of them.

A rogue USB device that declares itself a keyboard (HID) can do pretty much anything it wants to your machine, such as open a terminal window, write some code into a source file, compile it, and then execute it.

This isnt just speculation.. it was labeled "BadUSB" and was one of the main topics at the Black Hat USA conference in 2014: here is a video of one of the talks. [youtube.com]

But tha

Re:

[Anonymous Coward]

If it only had stayed that way instead of trying to emulate real interfaces like Firewire, things would be perfectly safe

OK, I may be missing some really well hidden sarcasm here but it is hard to take you seriously when you say things like that. Perhaps you meant Thunderbolt? Because Firewire is so insecure everyone recommends that you disable it on the few devices that still have it. Firewire's design was a security nightmare from the start. The devices are peers and can read and in some cases write each

Re:

[volodymyrbiryuk]

Pff what a joke. Where I worked if you inserted a flash drive into your computer they sent in Droidekas to exterminate everyone in the room.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Khyber]

"Your network administrator and IT department need to be fired and replaced with people who know what they are doing."

You go into any casino talking that nonsense and the Gaming Commission of almost every state, if not the Feds, would utterly rape you in court and then bar you from ever working in that field ever again.

There are places where full physical security of the device is an absolute requirement, right down to every port being behind a physically-locked plate and literally every cable tied down and

Re:

[cavreader]

"There are places where full physical security of the device is an absolute requirement, right down to every port being behind a physically-locked plate and literally every cable tied down and locked."
This certainly didn't protect Iran's centrifuge lab. Stuxnet was delivered to the lab on a memory stick. Just goes to show where there's a will there is always a way.

Re:

[Highdude702]

There are places where full physical security of the device is an absolute requirement, right down to every port being behind a physically-locked plate and literally every cable tied down and locked.

Well, you have apparently never been anywhere important in a casino, I frequent casinos for work in vegas all the time. That is not how it is.

Re:

[Khyber]

"I frequent casinos for work in vegas all the time"

Try California where we are a whole lot more strict, and even simply changing your lighting in a casino from incandescent to LED requires a full review from the GC.

I install the lighting. I have to chat with CAGC every single fucking time.

Re: USB

[Brockmire]

Presumably because someone put cameras in a light fixture at some point.

Re:

[amiga3D]

The reason they didn't want flash drives connected was to avoid people copying files to them.

Re:

[Cederic]

That's so sweet. Flash drives are sooo trivial. You fucking muppet.

Another exploit

[Anonymous Coward]

I've found another similar exploit.

If you pull on the flexible plastic tube that link the computer to the wall, the computer will abruptly shutdown without warning. Sometimes, you may even *corrupt* the file system, if you time it right! And Microsoft refuses to acknowledge this as a severe vulnerability! Crazy!

Re: Another exploit

[Brockmire]

Plastic tube? Wtf are you talking about? What fucking backwards nation are you from?

Re:

[account_deleted]

Comment removed based on user account deletion

Strange

[AndyKron]

That's strange. My computer always asks me what I want to do when I put a USB drive in, and I never changed the default.

Re:

[Anonymous Coward]

Well, go ahead and build this USB image and plug it in

Windows will ask you something, alright: whether IRQL is not less or equal

Re:

[phantomfive]

I'll bet it does that after it mounts it.

Re:

[thegarbz]

Notice that it asks you what you want to do while looking at the files and proposing things such as opening the pictures on it?

This isn't about auto-play, it's about auto-mount, something that every desktop OS does.

Just tried it

[TheDarkener]

Doesn't work, at least on a (since Jan 2018) unpatched Win7 Home Premium system. "The file or directory is corrupt and unreadable" when trying to access the drive even. Maybe I have to patch it?

Re:

[TheDarkener]

Note that it was x86 Windows install, not sure if that has anything to do with it.

Re:

[Anonymous Coward]

It was already patched via an update... Without credit to Tivadar.

Won't be fixed

[Anonymous Coward]

even if the computer is in a locked state

I feel this bug won't be fixed by M$ because this is a very important feature for authorities. This is an intentional feature so TLA can just stick-in their USB toolkit and unlock any machines at will at checkpoints and airports.

Sorry, this is a secret feature and NOT A BUG.

Re: Won't be fixed

[Brockmire]

You are an idiot.

Re:

[fuzzywig]

Windows isn't running any code on the USB drive, it's just trying to mount the file system (OSX does the same, some Linux distros do too). The problem is that it's possible to crash the file-system driver and crash the whole computer.

Re: Foolish Hackers

[Brockmire]

Then return it, it's defective hardware. Oh, you thought you were being funny? Shit man, you're hilarious! Can't wait for your comedy special.

Well ...

[jmccue]

Well it is a way quick to turn off a Windows PC

Well makes for a great system lock

Well at least the screen looks scary, with that on the PC at Starbucks, no one will steal the laptop

I will be here all week, tip the waitresses

Re: Well ...

[Brockmire]

It doesn't turn off the PC. Work on your set a bit more.

"unstated ability to get access to systems"

[NZheretic]

Transcript of Internet Caucus Panel Discussion. [techlawjournal.com] Re: Administration's new encryption policy.
Date: September 28, 1999.
Weldon statement. [techlawjournal.com]

Rep. Curt Weldon : Thank you. Let me see if I can liven things up here in the last couple of minutes of the luncheon. First of all, I apologize for being late. And I thank Bob and the members of the caucus for inviting me here.

...

But the point is that when John Hamre briefed me, and gave me the three key points of this change, there are a lot of unanswered questions. He

Concidence?

[Suren Enfiajyan]

Hmm, interesting... In 2013 a Windows kernel developer expressed his opinion about NTFS source code.

Oh god, the NTFS code is a purple opium-fueled Victorian horror novel that uses global recursive locks and SEH for flow control. Let's write ReFs instead. (And hey, let's start by copying and pasting the NTFS source code and removing half the features! Then let's add checksums, because checksums are cool, right, and now with checksums we're just as good as ZFS? Right? And who needs quotas anyway?)

The full ar [zorinaq.com]

Re:

[PPH]

Linux

Not by default. At least my Debian system won't. I get an icon and then I've got to mount it manually. If I lock my screen/keyboard, plugging in a USB drive does nothing.

Re:

[techno-vampire]

I run Fedora and Xfce and what happens is configurable. I think that automount is the default, but it's only a few mouse clicks to change it.

Not impressed...

[Archfeld]

What is the point ? If I have physical access to the machine I can induce the equivalent of a BSOD by unplugging the fsck'n thing. Why bother with a USB stick to make it crash ? Seems like an exercise in stupidity. I've discovered that I can crash your computer even if locked if I can get physical access to it by picking it up off the shelf and throwing it to the floor. Rinse, repeat....

Re:

[Ol Olsoc]

What is the point ? If I have physical access to the machine I can induce the equivalent of a BSOD by unplugging the fsck'n thing. Why bother with a USB stick to make it crash ? Seems like an exercise in stupidity. I've discovered that I can crash your computer even if locked if I can get physical access to it by picking it up off the shelf and throwing it to the floor. Rinse, repeat....

I think if you thought about it a while, you might find that if you wanted to do some damage, that thumb drive might allow you to walk in, plug in, BSOD, and walk out without destroying anything at the scene of the crime. Think about it.

I notice you didn't have a similar "This is no problem" for the social engineering aspect.

I know that it is fashionable to believe that Windows has no problems, but seems like it's taking denial these days to exonerate the Perfect OS.

Re:

[Archfeld]

Wouldn't unplugging the machine do the same thing ? I can't think of ANY OS that doesn't have 'problems', and I've worked on more than my fair share, from DOS/VSE, to OS/360, to VM/XA,, TMDS, OS/2, Windows, Unix, Linux, Solaris, and many others, classified as programming languages and/or OS's. The so called 'social engineering' aspect is beyond the hacking aspect. You can educate the ignorant, but stupid is forever, besides how do you socially engineer someone to put a USB stick with some code into a machin

Re:

[Ol Olsoc]

Wouldn't unplugging the machine do the same thing ?

Oh hell, let's just call it a Windows feature.

Re:

[hoggoth]

> how do you socially engineer someone to put a USB stick with some code into a machine

"Hi, I'm here for an interview. Oh shoot I spilled coffee on my resume. Could you please print a copy for me? It's on this thumbdrive."

Re:

[Archfeld]

There would be another available opening if anyone mounted a USB stick of any sort, let alone one brought on site by non employee. I've been to places that have USB ports disabled or had local mice plugged in and had locked covers over the input to prevent adding anything. But I generally don't work for very small offices so I guess that kind of stuff must still occur.

Re:

[phantomfive]

Worth adding that a crash can often be turned into an exploit with a little work..

Re:

[Ol Olsoc]

Worth adding that a crash can often be turned into an exploit with a little work..

Exactly.

Re:

[suutar]

unplugging the computer doesn't lead to buffer overflow exploits. Breaking the kernel can (though this one doesn't seem to yet).

Wait...What?

[Ol Olsoc]

Microsoft downgraded the bug's severity because exploiting it requires either physical access or social engineering (tricking the user).

So physical access and social engineering aren't problems now?

Re:

[Daltorak]

Microsoft downgraded the bug's severity because exploiting it requires either physical access or social engineering (tricking the user).

So physical access and social engineering aren't problems now?

Theft and idiocy are not things that can be fixed with software updates.

Re:

[Ol Olsoc]

Microsoft downgraded the bug's severity because exploiting it requires either physical access or social engineering (tricking the user).

So physical access and social engineering aren't problems now?

Theft and idiocy are not things that can be fixed with software updates.

Go onto a college campus, or perhaps a library. Computers everywhere. Or a Doctors office. I understand perhaps your idea of computer security might be armed guards with orders to terminate with extreme prejudice anyone that gets with in a ten meter kill zone of the computer - but hey, if you are willing to accept the idea that your computer can be BSOD'd with a simple geek stick, then call it a feature. Much damage can be done that does not require your break the computer sens of how things are done.

Re: Wait...What?

[Z00L00K]

If you find an USB stick somewhere - aren't you curious about the content?

Re:

[Ol Olsoc]

No, because some of us are aware of USB kill sticks [slashdot.org].

Some people are aware, some people are not. I've personally seen computers owned by geek sticks handed out at trade shows. Weird that Windows fans would stand in defense of a big problem by re-defining it as no problem.

Re:

[Ol Olsoc]

If you find an USB stick somewhere - aren't you curious about the content?

I used to keep a sacrificial Windows machine around for the very purpose of plugging in suspect CDs and thumb drives.

Pop 'em in, and see what happens.

A lot of people don't realize how many of us have been exploited.

Re:

[hoggoth]

Yes I am curious. That's why I boot into a Linux Live-CD and make sure my hard drive is not mounted before I plug in the thumbdrive.

Re:

[thegarbz]

So physical access and social engineering aren't problems now?

Not ones warranting rolling out fixes to prevent an otherwise secure computer from crashing and remaining secure.

Re:

[Dog-Cow]

If you were literate, you'd know "downgraded" is not the same as "we're going to ignore it".

Re:

[Ol Olsoc]

If you were literate, you'd know "downgraded" is not the same as "we're going to ignore it".

Okay - when is the projected fix date? I've heard "downgraded" a lot over the years. It means very well we're going to ignore it.

Otherwise, you hear "We'll work on it after all of the other problems are fixed." Or something. Since than never happens, it means "we'll ignore it."

It also tells me that there are a whole lot of other really critical problems going on that require immediate and intensive work on successful ongoing exploits that are sucking up all of our time.

Either that or "we're just go

Re: Wait...What?

[Brockmire]

Further, there's several errors in this article and misunderstanding by the researcher. Just look at the comments on bleeping computer, no one got the PoC to work.

Re: Wait...What?

[Brockmire]

What is hard for you to understand levels of severity? It's fucking explained right there. Are you not in ANY technical field where there's multiple levels of severity? Like holy fuck, that's some basic newbie type questioning. This is a fucking tech site.

Re:

[Ol Olsoc]

What is hard for you to understand levels of severity? It's fucking explained right there. Are you not in ANY technical field where there's multiple levels of severity? Like holy fuck, that's some basic newbie type questioning. This is a fucking tech site.

Sure there is various levels of severity. Would you bet 20 years of your life that this is not and will not be a problem? You don't ignor vulnerabilities. Plus, your completely dismissive attitude about this makes you a security risk. You know how many of the security incidents happen? People just like you - If you worked for me, and went into that rant, you'd have an appointment with security waiting for you the second you left my office. You are not the genius you think you are.

Re:Autoplay

[war4peace]

Actually, no, Autoplay doesn't have to be enabled, what the researcher meant is that the OS auto-mounts the image anyway, guaranteeing the crash.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Highdude702]

Some peoples children. My thoughts when I read it was "Windows XP was the first consumer OS from microsoft to have NTFS" And maybe even the first period? i was kind of young when it came out.

Re:

[EETech1]

I'm not a racist, I even have a color TV!

Re:

[coastwalker]

Offtopic but racism damages society so the comment needs a response. Trump is not racist because he frowns at black people. Trump is racist because he encourages racism in his voting base. "Mexicans are rapists and drug dealers" "there are faults on both sides" "Ban on all Muslims until we figure out what is going on" etc.

His administration goes all out to increase conflict just like a tooth and claw business does in the capitalist economy. Politics is not like business in the capitalist economy because cru

Re: Autoplay

[Z00L00K]

Still Autoplay is one of the worst features ever from a security perspective.

Re:

[thegarbz]

Still this isn't auto play, and every modern desktop OS mounts the image when plugged in. Happens on Macs, happens on Linux too.

Re:

[Z00L00K]

I'm fully aware of that this was automount, but Autoplay is even worse.

It's also one thing to crash a computer another to inject malware. If it had been possible to inject malware through the automount then it would be really bad.

Re:

[Highdude702]

Actually, I run Debian, and have ran variants for years. They do not automount, they read the disk structure, and you have to actually click mount to mount the drive. And from command line you have to also be root.

Re:

[thegarbz]

I said modern desktop OS :-P

Mind you the entire topic really is quite moot. If someone can get to a position where they can insert the USB stick to crash your system they could just as well simply turn off the power and move on with their lives :)

Incidentally Debian used to offer auto-mounting via udev but systemd broke that functionality ...

Re:

[Highdude702]

Do you not consider it modern because its stable? Modern hardware(R7-1700 + GTX1070 + NVME Drive) handles anything i can think of throwing at it. I know its popular to rip on Systemd, I personally have never had an issue with it. Sure I don't like the way it logs. Pain in the ass IMO. Other than that its pretty stable. And if you don't like it, you can spend the time to remove it and use whatever you wish. Power of Linux!

But seriously I don't think I have ever had a Linux OS that would mount a USB drive on

Re:

[thegarbz]

Do you not consider it modern because its stable?

It was a joke. Lighten up a bit man, you'll work yourself up a stroke at this rate.

But seriously I don't think I have ever had a Linux OS that would mount a USB drive on its own if you inserted it

Shit Mandravia did it back before the USB days for CDs. It blew my mind to think Linux at the time was trying to be user friendly. Anyway I grew up since then.
Pretty much every desktop with Gnome does it too since it's a Gnome default to automount CDs and USB. You can control it via dconf: org.gnome.desktop.media-handling.

Re:

[Highdude702]

I never liked mandrake much and rarely used it. normally stuck with RHEL's and Debian based distros.

Pretty much every desktop with Gnome does it too since it's a Gnome default to automount CDs and USB

That makes sense why I haven't noticed it, I haven't used Gnome since the late 90's. Im a KDE Fan. And KDE would never mount anything I didn't explicitly tell it to. Gnome has been worthless since version 2. Gnome 3 IMO isn't even usable. Worse than windows 10.

Re:

[fuzzywig]

Mint [linuxmint.com] automounts USB drives, although Mint is very much a desktop/ease-of-use focused distro.

Re:

[Highdude702]

The closest I have come to "Easy As Windows" Linux Distros is Ubuntu with KDE. I have never personally used mint past an install for a friend/family member. And that was just to get them started on something I heard was easy to learn on to keep the headache off of me lol. It worked rather well I guess as i rarely get the call of "How do I do this, I have already googled and cant figure it out" You know what they say. Set a man on fire, He will think you're Microsoft, Teach a man to Fire, And he will Compile

Re: Autoplay

[Ilgaz]

I remember how much I flamed Linux for not auto mounting removable media back in 90s. Now, almost all of them does.