Not logged in » Login
May 29 2017

The “Bad File Path” Hack’s Back: New Bug Exploit Could Crash Non-Win10 Windows Installations

Retro is the new modern: a Russian programmer recently spotted a bug in NTFS 3.1, the file system that's been employed to 'keep together' all Microsoft operating systems since the days of Windows XP. As it happens, this bug can be used to tamper with computers running Windows 7 and Windows 8.1 as well as the occasional age-defying Vista machine.

If you don't consider these Windows versions to be specifically "retro," stay calm: the term refers to the bug itself (and resulting exploits) rather than the OS's mentioned above. According to its spotter, who goes by the nickname Anatolymik and supposedly works for the Moscow-based security outfit Aladdin RD, the problem lies in the way the affected Windows versions handle so-called special filenames that denote certain files users normally don't have access to and the paths that link to them.

The concept of special filenames was introduced early on in NTFS history; originally, the idea was to find a way to represent hardware devices instead of actual files. Some 20 years ago, this would send PCs crashing whenever users tried to access files via paths that included a double reference to a particular device, such as "c: \con \con", where "con" stands for console – the keyboard-monitor combination. Not too surprisingly, miscreants soon exploited that bug from afar, typically by tricking web browsers into trying to load images from a non-existent file located at "c: con/ con/."

The concept of special filenames was carried over to later Windows versions, where it was used to block access to the $MFT (Master File Table) file, which resides on all NTFS volumes and is of paramount importance on any disk partition, since it not only lists all files on the volume, but also their physical location on the hard drive, their logical location inside folders, and numerous types of metadata. Users normally can't access that file because that would put them at risk of accidentally erasing all their data. However, when trying to write a filter, Anatolymik noticed that whenever he used "$MFT" as a directory name and ran the filter, this would cause local Windows 7/8.1 installations to freeze or crash. The only way to revive the affected systems was a reboot. And just like its predecessor from the 1990s, the newfound bug is  open for remote exploits via bad file paths embedded in URLs. So it looks as though history does indeed repeat itself – the question is if this time around attackers will still be content with simply causing system crashes, or if they find ways to combine this rather basic hack with more advanced malware.

While this is a rather unsettling perspective, we can end this newsflash on a more positive note: For now, a remote exploit could only target Internet Explorer and Firefox users on devices running Windows 7 or 8.1. Users of the Chrome browser are safe on either platform – as are users of Windows 10.

For more information, please see the reports at Bleeping Computer and Ars Technica (the latter omits the original source). If per chance you happen to read and write Russian, check out the original bug report at Habrahabr, the IT news service that first ran it.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now