Comments on: Introducing the USB Stick of Death

By: j00ru

j00ru — Mon, 26 Nov 2012 09:12:11 +0000

@Andrea: It’s specific to the malformed structure of the NTFS volume. I cannot really share more details :)

@nobody: I’ll try to look into this in the future ;)

@Fernando: We don’t currently plan to.

@Omar: Sorry, the exploit code is not going to be released (though the post contains enough information that you should be able to write your own).

By: Omar

Omar — Tue, 13 Nov 2012 19:52:56 +0000

Do you mind sharing the link to download the exploit ?

By: Windows 7 NTFS bug allows any user to get admin privileges | LIVE HACKING

Windows 7 NTFS bug allows any user to get admin privileges | LIVE HACKING — Tue, 13 Nov 2012 09:37:35 +0000

[...] details on the bug and exploit were available on both Coldwind’s and Jurczyk’s blogs. Also, you can see a video of the bug being exploited here: Windows 7 [...]

By: Weekend Consumption 28102012 | Fiberoverethernet.com

Weekend Consumption 28102012 | Fiberoverethernet.com — Sun, 28 Oct 2012 21:33:00 +0000

[...] Introducing the USB Stick of Death [...]

By: Fernando

Fernando — Sat, 27 Oct 2012 19:51:21 +0000

Do you plan to share what tools did you use for filesystem fuzzing?

By: nobody

nobody — Sat, 27 Oct 2012 19:19:41 +0000

IIRC, I was running either Windows 2003 or XP x64 at the time (according to my IRC logs, it happened in November 2005; I think I also reproduced the BSOD on plain XP). The crash was completely reproducible – you could access the first file without any problems, but when you tried accessing the second one, Windows BSODed in fastfat.sys.

The problem wasn’t in the inconsistency of long/short filename – the problem was that RockBox created screenshots where each file had identical short filename (even though long filenames were different). chkdsk fixed the problem.

By: Andrea

Andrea — Fri, 26 Oct 2012 08:33:00 +0000

Very interesting pubblication. The only thing that I don’t understand is how you can be able to modify NodeType of target volume SCB. Indeed it should be different from 0×702 to render system to dereference a NULL pointer…

Thanks!

By: Смертельная флешка или почти критическая уязвимость Windows 7 | S3R

Смертельная флешка или почти критическая уязвимость Windows 7 | S3R — Thu, 25 Oct 2012 08:26:09 +0000

[...] хакер Матеуш “j00ru” Юржик (Mateusz Jurczyk) написал эксплойт для уязвимости в NTFS под Windows, которую нашёл его [...]

By: Смертельная флэшка или почти критическая уязвимость Windows 7 | S3R

Смертельная флэшка или почти критическая уязвимость Windows 7 | S3R — Thu, 25 Oct 2012 08:18:46 +0000

[...] хакер Матеуш “j00ru” Юржик (Mateusz Jurczyk) написал эксплойт для уязвимости в NTFS под Windows, которую нашёл его [...]

By: «Смертельная» USB-флэшка | RIS

«Смертельная» USB-флэшка | RIS — Thu, 25 Oct 2012 06:32:27 +0000

[...] хакер Матеуш “j00ru” Юржик (Mateusz Jurczyk) написал отличный эксплойт для уязвимости в NTFS под Windows, которую нашёл его коллега [...]