An unpatched zero-day in Microsoft Windows 10 allows attackers to corrupt an NTFS-formatted hard drive with a one-line command.
In multiple tests by BleepingComputer, this one-liner can be delivered hidden inside a Windows shortcut file, a ZIP archive, batch files, or various other vectors to trigger hard drive errors that corrupt the filesystem index instantly.
"Critically underestimated" NTFS vulnerability
When exploited, this vulnerability can be triggered by a single-line command to instantly corrupt an NTFS-formatted hard drive, with Windows prompting the user to restart their computer to repair the corrupted disk records.
The researcher told BleepingComputer that the flaw became exploitable starting around Windows 10 build 1803, the Windows 10 April 2018 Update, and continues to work in the latest version.
What's worse is, the vulnerability can be triggered by standard and low privileged user accounts on Windows 10 systems.
Source: Twitter
A drive can become corrupted by merely trying to access the $i30 NTFS attribute on a folder in a certain way.
*WARNING* Executing the below command on a live system will corrupt the drive and possibly make it inaccessible. ONLY test this command in a virtual machine that you can restore to an earlier snapshot if the drive becomes corrupted. *WARNING*
An example command that corrupts a drive is shown below.
The Windows NTFS Index Attribute, or '$i30' string, is an NTFS attribute associated with directories that contains a list of a directory's files and subfolders. In some cases, the NTFS Index can also include deleted files and folders, which comes in handy when conducting an incident response or forensics.
It is unclear why accessing this attribute corrupts the drive, and Jonas told BleepingComputer that a Registry key that would help diagnose the issue doesn't work.
'I have no idea why it corrupts stuff and it would be a lot of work to find out because the reg key that should BSOD on corruption does not work. So, I'll leave it to the people with the source code,' Jonas told BleepingComputer.
After running the command in the Windows 10 command prompt and hitting Enter, the user will see an error message stating, "The file or directory is corrupted and unreadable."
Windows 10 will immediately begin displaying notifications prompting the user to restart their PC and repair the corrupted disk volume. On reboot, the Windows check disk utility runs and starts repairing the hard drive, as demonstrated in the video below.
After the drives become corrupted, Windows 10 will generate errors in the Event Log stating that the Master File Table (MFT) for the particular drive contains a corrupted record.
Source: BleepingComputer
BleepingComputer's tests also show that you can use this command on any drive, not only the C: drive and that drive will subsequently become corrupted.
More sophisticated ways to exploit the zero-day
In tests conducted by BleepingComputer, threat actors can use the command maliciously in various PoC exploits.
One striking finding shared by Jonas with us was that a crafted Windows shortcut file (.url) that had its icon location set to C:\:$i30:$bitmap would trigger the vulnerability even if the user never opened the file!
As observed by BleepingComputer, as soon as this shortcut file is downloaded on a Windows 10 PC, and the user views the folder it is present in, Windows Explorer will attempt to display the file's icon.
To do this, Windows Explorer would attempt to access the crafted icon path inside the file in the background, thereby corrupting the NTFS hard drive in the process.
Next, "restart to repair hard drive" notifications start popping up on the Windows PC—all this without the user even having opened or double-clicked on the shortcut file.
Delivering payload via ZIP archives, HTML files, and various means
Creative attackers can also deliver this payload in a variety of ways to the victim.
While the same-origin policy on most browsers would limit such attacks being served from a remote server (e.g., a remote HTML document referencing file:///C:/:$i30:$bitmap), creative means exist to work around such restrictions.
The researcher briefly stated that other vectors could be used to trigger this exploit remotely, such as via crafted HTML pages that embed resources from network shares or shared drives that have references to the offending $i30 path.
In some cases, according to the researcher, it is possible to corrupt the NTFS Master File Table (MFT).
During our research, BleepingComputer came across a caveat.
In some tests, after the Windows 10 chkdsk utility had "repaired" the hard drive errors on reboot, the contents of the exploit file, in this case, the crafted Windows shortcut with its icon set to C:\:$i30:$bitmap would be cleared and replaced with empty bytes.
This means the crafted Windows shortcut file was enough to pull a one-off attack if this happens.
Besides, a victim is not likely to download a Windows shortcut (.url) file from the internet.
To make the attack more realistic and persistent, attackers could trick users into downloading a ZIP archive to deliver the crafted file.
An attacker can, for example, sneak in their malicious Windows shortcut file with a large number of legitimate files inside a ZIP archive.
Not only is a user more likely to download a ZIP file, but the ZIP file is likely to trigger the exploit every single time it is extracted.
Source: BleepingComputer
This is because the compressed (and possibly encrypted) contents of the ZIP file, including the Windows shortcut, would not trigger the exploit unless extracted.
And even when extracted, the hard drive repairing process would empty the extracted Windows shortcut file without touching the compressed copy present inside the ZIP archive until the user attempts to re-extract the ZIP.
According to sources in the infosec community, serious vulnerabilities like these have been known for years and reported to Microsoft earlier but remain unpatched.
BleepingComputer reached out to Microsoft to learn if they knew of the bug already and if they would fix the bug.
“Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible,” a Microsoft spokesperson told BleepingComputer.
Update 15-Jan-2021: This NTFS issue impacts older Windows XP versions as well according to new information. One user has stated that the offending "$i30" path is actually a valid path that is accessed behind the scenes any way when a user accesses C:\ directory, but that accessing it directly in the manner described above might be causing unprecedented issues.
Comments
SleepyDude - 2 days ago
Hi,
I didn't see a serious corruption when tested this on a VM!
After the command the file system is marked as corrupted and chkdsk run on next boot...
Could the serious corruption be the result of running chkdsk containing the bug reported before? https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-10-chkdsk-bug-causing-boot-failures/
ironkill25 - 2 days ago
Beings that running Chkdsk / f from the command line, which reboots and starts to try to fix errors, can and does corrupt SSD's my guess that because the command "cd c:\:$i30:$bitmap" corrupts the Master File Table (MFT) then once invoked, Windows tries to automatically repair the file upon reboot, it can destroy the SSD in the process. That's just my uneducated guess. I am going to try to corrupt inside Windows Sandbox, then a VM to see if it does try to reboot and repair. Were these tests done on platter drives or SSD? or both?
RoRulon - 1 day ago
Thought I'd post this - I tested this on 3 different laptops I have at home tonight:
HP 250 G5 - Fresh install of Windows 10 2004 - SSD Drive (used for testing)
Lenovo ThinkPad Helix Gen 2 - Recent install of Windows 10 2004 with apps installed but little use - SSD Drive (also used for testing)
Lenovo Thinkpad E590 - Recent install of Windows 10 20H2 - SSD Drive (My work laptop, regularly used, but with nothing on it that can't be restored should this brick the drive)
On all three this command returned the result "the file or directory is corrupted and unreadable," with a Security and Maintenance prompt to restart the device. Upon doing so Windows managed to scan and repair the drive successfully on every attempt, usually in a matter of seconds, and have me back at the Windows login screen within a minute. I tested this multiple times on each machine, in some cases running the command in excess of ten times before restarting, and not once did the drives break in such a way that they were unrecoverable.
I'm not saying this isn't a problem or its sensationalized, however the testing I did showed no instance of the drives becoming corrupted beyond repair, or something that Windows couldn't fix in the usual way.
doriel - 1 day ago
Thank you for your Herculian effort. I think on some computers (maybe the ones who already have some incosistency in the data on the disk), it can corrupt the hard drive. Iat least it triggers some procedures, that are not standard.
Lawrence Abrams - 1 day ago
The results seem varied. In my tests on a VM, it trashed my install as shown by the video in the article.
Other tests on the same VM were resolved easily via Chkdsk. I have no explanation as to why it was easily fixed in some tests and not in others.
emsir - 1 day ago
"Beings that running Chkdsk / f from the command line, which reboots and starts to try to fix errors, can and does corrupt SSD's my guess that because the command "cd c:\:$i30:$bitmap" corrupts the Master File Table (MFT) then once invoked, Windows tries to automatically repair the file upon reboot, it can destroy the SSD in the process. That's just my uneducated guess. I am going to try to corrupt inside Windows Sandbox, then a VM to see if it does try to reboot and repair. Were these tests done on platter drives or SSD? or both?"
Guessing is not a solution.......
Truster - 1 day ago
tried this one
event ntfs 55 and 98 will be triggered at the moment as trying to access this spechial directory. it sets the dirty bit. After reboot chkdsk will run multible times, so the machine wourd start in "automatic repair mode". Close it, it will start again in normal mode without any errors in the filsystem (event 98 triggered).
Boring.
BrechtMo - 1 day ago
Would this work on Server OS, e.g. on a remote desktop session host?
doriel - 1 day ago
Sounds to me, like you have some evil deeds :) :D :)
BrechtMo - 1 day ago
Just thinking like a student working in an RDS session during a lesson would think... :-)
Terribleusername - 21 hours ago
Tested this in Windows server 2019 version 1809 and got corrupted disk warning.
dcmax_it - 8 hours ago
I have tested on my win 10 20H2 and the result is fsutil query dirty but the computer still works, i have made sfc /scannow without errors, online chkdsk show the error
Step 1: Analyzing the basic file system structure ...
The 0x80 type attribute and 0x2b instance tag in the 0xafe0f
has allocated length of 0x4cc00000 instead of 0x4cb90000.
The record attributes (80, $ J) of the AFE0F file record segment
at reboot with autocheck autochk
the windows starts normally without dirty bit
now the question is
which version of windows goes to bsod?
tytee - 7 hours ago
I was going insane trying to figure out why my system had been acting up for the past few weeks.
I think this corrupted 3 of my drives, 2 HDDs and 1 SSD. I lost a major chunk of important data and thought a power outage had damaged all 3 of my drives.
Wonder if there's a file/folder that's causing this bug for me, and whether I can repair my SSD which is showing itself as a SanDisk Milpitas SSD with a size of 0 mb when its a 240 GB drive. Not sure if that's what is called the RAW error / MFT/MBR corruption etc. It doesn't initialize from Disk Management. Will be trying a few other solutions I've read up on.
But if someone could clarify - there has to be a file or folder acting maliciously which is causing this correct ? Or will running checkdisk automatically corrupt the SSD / boot drive ?