Rogue code on USB triggers BSOD on Windows PCs, even if itโs locked
Marius Tivadar, a malware researcher from BitDefender, a cybersecurity and anti-virus software company, has published a proof-of-concept (PoC) code on GitHub that can cause the dreaded Blue Screen of Death (BSOD) and crash the Windows machines within seconds, even if the system is locked.
According to Tivadar, the code exploits the vulnerability in Microsoft’s handling of NTFS (New Technology File System) images that can trigger a blue screen of death.
Explaining the PoC code on GitHub, Tivadarย said, โOne can generate Blue Screen of Death using a handcrafted NTFS image. This denial-of-service type of attack can be driven from user mode, limited user account or Administrator. It can even crash the system if it is in locked state.โ
The malware researcherโs PoC contained a malformed NTFS image, which was stored on an USB thumb drive, which when inserted in a Windows PC crashed the system within seconds.
โAuto-play is activated by default,โ Tivadar wrote in a PDF accompanying the POC’s GitHub project that detailed the bug and its effect.
โEven with auto-play [is] disabled, [the] system will crash when the file is accessed. This can be done for [example,] when Windows Defender scans the USB stick, or any other tool opening it.โ
Autoplay, which is enabled by default in all versions of Windows, is the root of the problem here. Disabling Autoplay can prevent the NTFS image from automatically crashing Windows systems, but manually opening it has the same result.
According to Tivadar, the auto-play behavior should be changed in large part so it wouldnโt work if the Windows box was locked as the code runs without user consent.
โGenerally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine. I may think [of] this as code [that] gets executed without user consent,โ he said.
He also suggested that an attacker might make changes to the PoC and add malware, triggering the crash remotely and opening โthousands of possible scenarios.โ
Tivadar had reported the DoS (denial-of-service) attack to Microsoft in July 2017 and included the fake 10MB NTFS image that was able to crash Windows 7 and Windows 10 systems along with aย PoC video.
Microsoft had responded to Tivadarโs PoC by saying, โYour report requires either physical access or social engineering, and as such, does not meet the bar for servicing down-level (issuing a security patch).โ
According to Tivadar, when the vulnerability was disclosed, Microsoft said it did not want to assign a CVE to it. It did, however, write, โYour attempt to responsibly disclose a potential security issue is appreciated and we hope you continue to do so.โ
Disappointed over Microsoftโs response, Tivadar published his NTFS image on GitHub recently. However, Microsoft isย reportedย to have issuedย a fix for the Windows 10 vulnerability.
Source: Bleeping Computer