Skip to content

Introducing the USB Stick of Death

Ten post nie jest dostępny w języku polskim!

{ 12 } Comments

  1. syka | 22-paź-12 at 04:09:16 | Permalink


  2. nobody | 22-paź-12 at 08:39:56 | Permalink

    This reminds me of a bluescreen I encountered in the FAT driver several years ago – I was playing with RockBox on my MP3 player, taking screenshots, but when I tried to view the pictures on my computer, Windows always BSODed when trying to open the second picture. Turned out that RockBox didn’t write short file names properly – while the screenshots had different long names, they all had the same short name, which caused Windows to BSOD.

  3. Catalin Teodorescu | 22-paź-12 at 12:57:59 | Permalink

    Can I get a link for the source or binaries of this software ? I would really enjoy testing it a bit :)

  4. Deepak Jagtap | 22-paź-12 at 21:39:15 | Permalink

    Really awesome..!
    can i get software link to download and use it?

  5. j00ru | 23-paź-12 at 11:41:46 | Permalink

    @syka: Thanks :P

    @nobody: Huh, that’s really quite interesting. What was the operating system edition, and are you sure that the problem that triggered the BSoD was the inconsistency in short/long filenames? I’d be really interesting to have a closer look into this :)

    @Catalin Teodorescu, Deepak Jagtap: Thanks. As outlined in the blog post, it was only released as a Windows kernel exploitation case study with the bug being used for demonstrative purposes only; it is not a full-disclosure post. Therefore, the file-system image / exploit executable will not be publicly released.

  6. Andrea | 26-paź-12 at 01:33:00 | Permalink

    Very interesting pubblication. The only thing that I don’t understand is how you can be able to modify NodeType of target volume SCB. Indeed it should be different from 0x702 to render system to dereference a NULL pointer…


  7. nobody | 27-paź-12 at 12:19:41 | Permalink

    IIRC, I was running either Windows 2003 or XP x64 at the time (according to my IRC logs, it happened in November 2005; I think I also reproduced the BSOD on plain XP). The crash was completely reproducible – you could access the first file without any problems, but when you tried accessing the second one, Windows BSODed in fastfat.sys.

    The problem wasn’t in the inconsistency of long/short filename – the problem was that RockBox created screenshots where each file had identical short filename (even though long filenames were different). chkdsk fixed the problem.

  8. Fernando | 27-paź-12 at 12:51:21 | Permalink

    Do you plan to share what tools did you use for filesystem fuzzing?

  9. Omar | 13-lis-12 at 12:52:56 | Permalink

    Do you mind sharing the link to download the exploit ?

  10. j00ru | 26-lis-12 at 02:12:11 | Permalink

    @Andrea: It’s specific to the malformed structure of the NTFS volume. I cannot really share more details :)

    @nobody: I’ll try to look into this in the future ;)

    @Fernando: We don’t currently plan to.

    @Omar: Sorry, the exploit code is not going to be released (though the post contains enough information that you should be able to write your own).

  11. bigric3 | 21-gru-16 at 20:25:11 | Permalink

    nice papers! i have read all comments, but can send me one code of “exemplary private namespace”? thank you very much!
    i used event object ,but cannot effects paged pool memery, only nonpaged pool.

  12. bigric3 | 08-sty-17 at 19:01:20 | Permalink

    thank for this paper. i have already exploit a software. it’s nice!

{ 21 } Trackbacks

  1. […] na Windowsowy sterownik NTFS, który umożliwia podniesienie uprawnień. Opis tworzenia exploita tutaj. Microsoft obiecał naprawić go “w przyszłości” […]

  2. USB Stick of Death | ctrlaltnarwhal | 2012-10-21 at 09:00:13 | Permalink

    […] privileges (e.g. schools, universities, hostels). You can check out the full explanation of the bug here. Share this:TwitterFacebookLike this:LikeBe the first to like this. This entry was posted in Bugs, […]

  3. […] […]

  4. […] Hacker News This entry was posted in Uncategorized by admin. Bookmark the […]

  5. Security News » USB Śmierci | 2012-10-21 at 09:00:13 | Permalink

    […] swojego znaleziska leży zddosowany swoją popularnością  :)Jakby co, to w razie czego – wpisy:Brak podobnych wpisów!Napisz Komentarz var […]

  6. […] can read the details about the exploit here. I Suggest you do read it. It is very […]

  7. […] Share this:TwitterFacebookLike this:LikeBe the first to like this. […]

  8. | 2012-10-21 at 09:00:13 | Permalink

    Introducing the USB Stick of Death | j00ru//vx tech blog…

    Two security researchers show a new vulnerability in the handling of the NTFS file format in Microsoft Windows 7. They accomplish a full system compromise. This vulnerability is unpatched yet, leaving room for plug-and-own exploits….

  9. […] j00ru//vx – Introducing the USB Stick of Death :: URL […]

  10. […] USB Stick of Death — very detailed internals walkthrough of how to simply insert a USB stick, have it automatically mounted by the operating system and immediately compromise it by triggering a vulnerability in ntfs.sys. […]

  11. […] 0 comments » […]

  12. […] хакер Матеуш “j00ru” Юржик (Mateusz Jurczyk) написал отличный эксплойт для уязвимости в NTFS под Windows, которую нашёл его коллега […]

  13. […] хакер Матеуш “j00ru” Юржик (Mateusz Jurczyk) написал эксплойт для уязвимости в NTFS под Windows, которую нашёл его […]

  14. […] хакер Матеуш “j00ru” Юржик (Mateusz Jurczyk) написал эксплойт для уязвимости в NTFS под Windows, которую нашёл его […]

  15. […] Introducing the USB Stick of Death […]

  16. […] details on the bug and exploit were available on both Coldwind’s and Jurczyk’s blogs. Also, you can see a video of the bug being exploited here: Windows 7 […]

  17. […] space, and to have full control of the code within a process. Editing the tagWND structure or the HAL Dispatch Table are two very common vectors, as are many […]

  18. […] Privilege escalation μέσω ενός NTFS formatted USB stick (USB Stick of Death) […]

  19. […] 为了达到这个目的,面临的另一个挑战就是,根据数据块的大小创建一个合理的动态内存分配布局,用于溢出的产生。如果已知数据块的大小,那么我们就可以没有更多限制的实现这个目的。然而,当我们处理固定掉的数据块(在该实例中为0×418字节),很难找到一个合适大小的对象导致堆溢出。想要克服该问题的人可以参考此处。 […]

  20. […] Privilege escalation μέσω ενός NTFS formatted USB stick (USB Stick of Death) […]

  21. […] 为了达到这个目的,面临的另一个挑战就是,根据数据块的大小创建一个合理的动态内存分配布局,用于溢出的产生。如果已知数据块的大小,那么我们就可以没有更多限制的实现这个目的。然而,当我们处理固定掉的数据块(在该实例中为0×418字节),很难找到一个合适大小的对象导致堆溢出。想要克服该问题的人可以参考此处。 […]

Post a Comment

Your email is never published nor shared. Required fields are marked *