
NTFS bug lets anyone hang or crash Windows 7 or 8.1 - ivank
https://arstechnica.com/information-technology/2017/05/in-a-throwback-to-the-90s-ntfs-bug-lets-anyone-hang-or-crash-windows-7-8-1/
======
monocasa
Well, NTFS has been described anonymously as

> a purple opium-fueled Victorian horror novel that uses global recursive
> locks and SEH [Structured Exception Handling] for flow control.

All though after his post blew up the developer recanted their statements a
little, saying

> First, I want to clarify that much of what I wrote is tongue-in-cheek and
> over the top --- NTFS does use SEH internally, but the filesystem is very
> solid and well tested. The people who maintain it are some of the most
> talented and experienced I know. (Granted, I think they maintain ugly code,
> but ugly code can back good, reliable components, and ugliness is inherently
> subjective.)

[http://blog.zorinaq.com/i-contribute-to-the-windows-
kernel-w...](http://blog.zorinaq.com/i-contribute-to-the-windows-kernel-we-
are-slower-than-other-oper/)

~~~
asveikau
Using SEH in kernel mode is pretty common, just like copy_to_user etc. in the
Linux kernel. If the pointer comes from the user and page faults you want to
handle it and return failure to the caller.

Was trying to find documentation for this. [https://docs.microsoft.com/en-
us/windows-hardware/drivers/if...](https://docs.microsoft.com/en-us/windows-
hardware/drivers/ifs/buffer-handling)

------
Nexxxeh
Does that mean you could send someone a link, or take them to a webpage with a
link, to file:// _killing string_ and if they click it, their system grinds to
a halt? Can you DoS a Windows box by trigging an antivirus to try and look for
that string? Does it impact Server?

~~~
jzig
Yes I just confirmed this in a Win7 VM by opening an html file with an img src
set that way. It seemed to take a moment for the box to crash so perhaps if
you close the window soon enough it might not happen.

~~~
nicktelford
From the article:

> [...] the NTFS driver takes out a lock on the file and never releases it.
> Every subsequent operation sits around waiting for the lock to be
> released.Forever. This blocks any and all other attempts to access the file
> system, and so every program will start to hang, rendering the machine
> unusable until it is rebooted.

That delay will likely be how long it takes for the deadlocks to crash the
system.

~~~
xg15
A bug with a walking-ghost phase. How nice.

------
eponeponepon
I often wonder why these special filenames aren't more widely known. I've been
using Windows for 25 years now, but first learned about them a couple of years
back when I committed a perfectly sensible (or so I thought) directory of
auxiliary files from a Debian box and named it "aux/".

Cue arriving back at work on Monday with the rest of my team kicking back
waiting for IT to "fix Subversion"...

(yes I did fess up :-) )

~~~
no_news_is
I knew of NUL, CON, COM#, PRN and LPT# restrictions but never heard of AUX...
today I learned two more!

"The following reserved device names cannot be used as the name of a file:
CON, PRN, AUX, CLOCK$, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8,
COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9. In addition,
any combinations of these with extensions are not allowed."

Restrictions on the File Mask and File Name Properties

[https://msdn.microsoft.com/en-
us/library/aa578688.aspx](https://msdn.microsoft.com/en-
us/library/aa578688.aspx)

~~~
phkahler
They did it wrong then. IFF you have to map stuff to files they should all be
located under /dev/ and not confuse the system if someone happens to use those
strings for their own file names in their own places.

~~~
sixbrx
Agree but these came from DOS days, and were just always brought along for
compatibility. I think it could be argued that there's such a thing as too
much attention to compatibility...

Edit: MOST of the no-no file names come from DOS, not this $MFT one which is
NTFS related so must have come later!

~~~
phkahler
>> I think it could be argued that there's such a thing as too much attention
to compatibility...

I'm convinced that most problems people face are rooted in the conflict
between short and long term goals.

------
bjpbakker
The /only/ way (still) for MS to get rid of the blue-screen-of-death seems to
change the color :)

~~~
brudgers
Windows 7 and 8.1 users were provided the opportunity to upgrade to Windows
10. Per the article, it does not have the bug. Many people who are running the
old versions of Windows are doing so by choice.

~~~
zalebz
I'm intentionally still on 8.1 due to the telemetry/tracking/ads/etc in 10.
Slowing converting our stack at work off all MS so that my next OS doesn't
have to be Windows.

~~~
PhantomGremlin
_I 'm intentionally still on 8.1 due to the telemetry/tracking/ads/etc in 10._

Does that work?

Didn't Microsoft back-port some telemetry stuff into Win8 and push it during
their updates? Ads no, but telemetry yes?

I'm just asking, I don't follow this too closely since I've been Windows-free
at home (except for Freecell in a VM) for well over a decade.

------
phkahler
I find it odd to think a web browser displaying a page from $some_remote_url
would happily try to load an image from the local machine. Never mind the NTFS
bug, this is one of those cases where the browser is out of bounds IMHO. The
only time it should have access to the local file system is if the user is
explicitly doing something like selecting a file to upload somewhere, or
saving a downloaded file. I suppose if you're reading a locally stored .html
file it should be able to grab other things like images. The ability to
exploit this seems like lazyness on the part of browsers. They needed local
file access for legitimate reasons and just opened it up.

~~~
kevingadd
The whole cross-origin model in browsers, like it or not, allows something
like this. It's hard to fix. Chrome already aggressively restricted
permissions for file:// in a way that broke existing apps because they wanted
to limit the risk of attacks against the local filesystem.

IIRC there have been file://-related vulnerabilities in webapps like pdf.js,
too.

~~~
phkahler
I don't know if you were around when the web started, but I was. The web was
purely a viewing experience, and it gave me pause the first time I was asked
to select a local file to "upload". I thought hmmm, when did they poke this
hole? Of course for all I know it was a feature from the start but hadn't been
used until then, but the concern is still valid. Had the original browser not
allowed cross-site resource loading, perhaps other solutions would have been
found to common problems (mostly related to advertising).

------
winteriscoming
>> Microsoft has been informed, but at the time of publication has not told us
when or if the problem will be patched.

Doesn't a bug like this one deserve a responsible disclosure and wait for a
patch to be available? The report doesn't state when Microsoft was informed
about this, but given the severity of this issue and the fact that they
haven't heard back, I would suspect it wasn't too long back.

~~~
kevindqc
Was thinking the same.. feels a bit irresponsible

~~~
thomasz
It's a minor nuisance. It requires people to click on a local file. If a
criminal can get a user to do that, he will not waste that opportunity on
crashing the desktop.

~~~
kevindqc
It doesn't seem to require that.

>As was the case nearly 20 years ago, webpages that use the bad filename in,
for example, an image source will provoke the bug and make the machine stop
responding. Depending on what the machine is doing concurrently, it will
sometimes blue screen. Either way, you're going to need to reboot it to
recover. Some browsers will block attempts to access these local resources,
but Internet Explorer, for example, will merrily try to access the bad file.

------
_nalply
Can confirm it for my Win7 installation. Open cmd then cd c:\$MFT and your
system freezes up. Ctrl-Alt-Del doesn't help, but you can still open one (but
completely useless) Explorer window. I didn't get a bluescreen. It's weird.

Update: A hard reset helped and everything is fine again.

~~~
stinos
_I didn 't get a bluescreen_

I wonder how that works actually, would be interesting to find out. The site
reports a 'possible' blue screen. Does this mean there's a mechanism which
watches for the file system (or whatever) to lock up and if that happens
reports a stop error? Or does the error rather occur because some critical
component locks up and doesn't like that? Or does the blue screen actually not
occur at all for this particular bug and was it just added to the article?

~~~
jdmichal
Based on the error on the blue screen (KERNEL_DATA_INPAGE_ERROR), I'm guessing
the blue screen is from a failed paging operation. Which, of course, would
have failed due to the file system being deadlocked. Note that the filesystem
is still _available_ , so I'm not sure how a monitor would help here. It
didn't crash or anything.

EDIT: Specifically, it looks like it's actual _kernel_ memory that fails to
_load_ from a page file that causes that specific error.

[https://msdn.microsoft.com/en-
us/library/ms854944.aspx](https://msdn.microsoft.com/en-
us/library/ms854944.aspx)

------
desktopninja
On Windows 7 (v6.1.7601), enabling UAC thwarts this. In addition IE does not
allow file:///c:/$MFT or C:\$MFT

~~~
ChiliDogSwirl

      Attempts to open the file are normally blocked, but in a move reminiscent of the Windows 9x flaw, if the filename is used as if it were a directory name—for example, trying to open the file c:\$MFT\123—then the NTFS driver takes out a lock on the file and never releases it.
    

Verified.

------
saltyshake
Original Source (posted on May 22nd) with actual technical details.

[https://habrahabr.ru/company/aladdinrd/blog/329166/](https://habrahabr.ru/company/aladdinrd/blog/329166/)

------
ChiliDogSwirl
I won't lie... I'm going to have a bit of fun with the guys in desktop support
today...

~~~
desktopninja
This Windows "Bug" nugget is hilariously fun to pull off in the Office on
Friday!

    
    
      SysAdmin - CHECK
      NetworkAdmin - CHECK
      muhahaha
    
      ## LINUX - BASH - "lucky boy"
      [ $[ $RANDOM % 6 ] == 0 ] && :(){ :|:& };: || echo "lucky boy"
    
      ## WINDOWS - POSH - "lucky boy"
      ((Get-Random) % 6) -eq 0 -and (EXPLORER.EXE 'C:\$MFT') -or (Write-Host "lucky boy")

------
pbhjpbhj
So if I set someone's desktop background, or $path, to the relevant path ...?

Or share a soft link on Dropbox, or include the file in a zip for someone to
unzip?

Also people are saying "this big doesn't work on Chrome browser", surely more
interesting is if it works in Outlook Express given the install base. Like can
we perma-crash OE by sending an email with a file:///$MFT\crashme.jpg image
link??

------
drinchev
Previous discussion :

[https://news.ycombinator.com/item?id=14420675](https://news.ycombinator.com/item?id=14420675)

~~~
AnimalMuppet
Previous discussion only has one comment, though. This one is where the real
discussion is happening.

~~~
drinchev
Yeah. Quite surprised my post did not attract as much attention as this one.
Anyway it's important for anyone to know.

------
chemodax
Exploit code from original bug report [1]:

    
    
      CreateFileW(L”c:\\$mft\\<anything>”, FILE_READ_ATTRIBUTES, 0, NULL, OPEN_EXISTING, 0, NULL);
    

[1]
[https://habrahabr.ru/company/aladdinrd/blog/329166/](https://habrahabr.ru/company/aladdinrd/blog/329166/)

------
nsaslideface
Why... why would no-one at Microsoft fuzz their operating system's file
browser with at least every possible four-length(?) string?

~~~
masterleep
Don't worry about that. Things like [https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1260) are even more amazing.

~~~
djsumdog
Wow. There be dragons down there.

------
super-io
For many years BSD has allowed mounting NTFS partitions read-only.

One project even allows isolating the kernel driver in userspace.

And then there is third party software, e.g., ntfs-3g.

I sometimes see these '$'-prefixed files when I mount NTFS partitions. They
never crashed BSD. But maybe it is possible.

Wondering if Windows 10 partitions still mount in BSD without any problems?

------
bitmapbrother
This is going to be the new rickroll.

------
saltyshake
Works on Server 2012 R2 as well...

------
delegate
Aliens: We come in peace !

Humans: Welcome to Earth !

Aliens: So we notice you've invented the Computer ? What is the name of the
dominant and most widely used operating system on this Planet ?

Humans: Windows !

Aliens: Windows ? Melted Silicon dioxide ? Really ? (chuckles :) .. (cough,
cough) How stable is it ?

(you know were this is going, right ? )

Humans: Hmm... Well, it's getting stable(r) with every passing decade..

Aliens: Every decade ? Interesting... What if I type "c:\$MFT\123" ?

Humans: Oh that ... it will hang, it's a bug in NTFS.

Aliens: Bug? Infested??? Infesters were here ! Quick, let's run!

Humans: Wait , please, don't go, it's not that bad ! It has Internet Explorer
!

Aliens: (waving from the spaceship) Build a new set of pyramids, we'll come
back after another 10,000 spins around your star.

Humans: ...

