In a throwback to the ’90s, NTFS bug lets anyone hang or crash Windows 7, 8.1

It's like the c:\con\con bug all over again.

Ars Staff – May 25, 2017 9:45 PM | 135

Those of you with long memories might remember one of the more amusing (or perhaps annoying) bugs of the Windows 95 and 98 era: certain specially crafted filenames could make the operating system crash. Malicious users could use this to attack other people's machines by using one of the special filenames as an image source; the browser would try to access the bad file, and Windows would promptly fall over.

It turns out that Windows 7 and 8.1 (and Windows Vista, but that's out of support anyway) have a similar kind of bug. They can be taken advantage of in the same kind of way: certain bad filenames make the system lock up or occasionally crash with a blue screen of death, and malicious webpages can embed those filenames by using them as image sources. If you visit such a page (in any browser), your PC will hang shortly after and possibly crash outright.

The Windows 9x-era bug was due to an error in the way that operating systems handled special filenames. Windows has a number of filenames that are "special" because they don't correspond to any actual file; instead, they represent hardware devices. These special filenames can be accessed from any location in the file system, even though they don't exist on-disk.

Ars Video

While any of these special filenames would have worked, the most common one used to crash old Windows machines was con, a special filename that represents the physical console: the keyboard (for input) and the screen (for output). Windows correctly handled simple attempts to access the con device, but a filename included two references to the special device—for example, c:\con\con—then Windows would crash. If that file was referenced from a webpage, for example, by trying to load an image from file:///c:/con/con then the machine would crash whenever the malicious page was accessed.

The new bug, which fortunately doesn't appear to afflict Windows 10, uses another special filename. This time around, the special filename of choice is $MFT. $MFT is the name given to one of the special metadata files that are used by Windows' NTFS filesystem. The file exists in the root directory of each NTFS volume, but the NTFS driver handles it in special ways, and it's hidden from view and inaccessible to most software. Attempts to open the file are normally blocked, but in a move reminiscent of the Windows 9x flaw, if the filename is used as if it were a directory name—for example, trying to open the file c:\$MFT\123—then the NTFS driver takes out a lock on the file and never releases it. Every subsequent operation sits around waiting for the lock to be released.Forever. This blocks any and all other attempts to access the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted.

As was the case nearly 20 years ago, webpages that use the bad filename in, for example, an image source will provoke the bug and make the machine stop responding. Depending on what the machine is doing concurrently, it will sometimes blue screen. Either way, you're going to need to reboot it to recover. Some browsers will block attempts to access these local resources, but Internet Explorer, for example, will merrily try to access the bad file.

We couldn't immediately cause the same thing to occur remotely (for example, by sending IIS a request for a bad filename), but it wouldn't immediately surprise us if certain configurations or trickery were enough to cause the same problem.

Microsoft has been informed, but at the time of publication has not told us when or if the problem will be patched.