PoC code can crash Windows systems, even when locked

News by Rene Millman

Security researchers have found a flaw in Windows that could allow hackers to crash a system when they insert a USB stick with specially crafted code. The problem happens even when Windows is locked.

Security researchers have found a flaw in Windows that could allow hackers to crash a system when they insert a USB stick with specially crafted code. The problem happens even when Windows is locked.

According to Marius Tivadar, a malware researcher at Bidefender, there is a flaw in how Windows handles NTFS file system images. 

Tivadar published a proof-of-concept code on Github. He said that “One can generate blue-screen-of-death using a handcrafted NTFS image. This Denial of Service type of attack, can be driven from user mode, limited user account or Administrator. It can even crash the system if it is in locked state.

The researcher posted a couple of videos showing how the code crashes a Windows computer when a USB stick is inserted into it. Seconds later, the dreaded blue screen of death appears. The interesting thing to note here is that the code itself is not malware but a malformed NTFS image.

According to Tivadar, auto-play is activated by default. “this leads to automatically crashing the system when [a] USB stick is inserted. Even with auto-play disabled, system will crash when the file is accessed. This can be done when Windows Defender scans the USB stick, or any other tool opening it. If none of the above,” then “if the user clicks on the file, [the] system will crash.”

Tivadar said that auto-play behaviour should be changed so that this situation doesn't happen when the system is locked. 

“Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine,” he added.

He said that if the kind of crash was exploitable, and an attacker could load malware even if the system was locked, it could “open thousands of possible scenarios”.

Javvad Malik, security advocate at AlienVault, told SC Media UK that in enterprises, getting all endpoints to the current build could take time, so there is a window of opportunity for attackers. 

“Having said that, due to the physical access needed to the machine to insert a USB drive, it is unlikely we'll see this at a mass scale, but rather the potential is that it could be used as part of a targeted attack for a very specific purpose – similar to how Stuxnet was developed and intended to be delivered to cause damage to Iran's nuclear facilities,” he said.

“In terms of disclosure, the author initially did privately disclose to Microsoft, and in turn Microsoft stated that it does not meet the threshold for a fix as it requires physical access or social engineering – so the correct process has been followed,” he added.

“The reality is that if physical access is gained, or an employee can be social engineered to insert a USB or run code, then there are many attacks that could be launched against a company. So, the protection measures against this would be the same, ie ensure unauthorised persons don't gain physical access to machines, and train staff to be aware of and not fall victim to social engineering.”

Andrew Avanessian, chief operations officer at Avecto, told SC Media UK that the method of using a USB stick isn't necessarily the easiest, as it requires hackers to gain physical access to a system or machine. This would most likely involve a form of social engineering which would target vulnerable end-users, encouraging them to use an infected USB to run the code.

“It is unclear as yet whether this issue will be fixed in later builds. However, Microsoft has said that this method would require the attacker to execute additional code on the build, or a social engineer to target an end user to run the code,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop