Ten post nie jest dostępny w języku polskim!
This reminds me of a bluescreen I encountered in the FAT driver several years ago – I was playing with RockBox on my MP3 player, taking screenshots, but when I tried to view the pictures on my computer, Windows always BSODed when trying to open the second picture. Turned out that RockBox didn’t write short file names properly – while the screenshots had different long names, they all had the same short name, which caused Windows to BSOD.
Can I get a link for the source or binaries of this software ? I would really enjoy testing it a bit :)
can i get software link to download and use it?
@syka: Thanks :P
@nobody: Huh, that’s really quite interesting. What was the operating system edition, and are you sure that the problem that triggered the BSoD was the inconsistency in short/long filenames? I’d be really interesting to have a closer look into this :)
@Catalin Teodorescu, Deepak Jagtap: Thanks. As outlined in the blog post, it was only released as a Windows kernel exploitation case study with the bug being used for demonstrative purposes only; it is not a full-disclosure post. Therefore, the file-system image / exploit executable will not be publicly released.
Very interesting pubblication. The only thing that I don’t understand is how you can be able to modify NodeType of target volume SCB. Indeed it should be different from 0x702 to render system to dereference a NULL pointer…
IIRC, I was running either Windows 2003 or XP x64 at the time (according to my IRC logs, it happened in November 2005; I think I also reproduced the BSOD on plain XP). The crash was completely reproducible – you could access the first file without any problems, but when you tried accessing the second one, Windows BSODed in fastfat.sys.
The problem wasn’t in the inconsistency of long/short filename – the problem was that RockBox created screenshots where each file had identical short filename (even though long filenames were different). chkdsk fixed the problem.
Do you plan to share what tools did you use for filesystem fuzzing?
Do you mind sharing the link to download the exploit ?
@Andrea: It’s specific to the malformed structure of the NTFS volume. I cannot really share more details :)
@nobody: I’ll try to look into this in the future ;)
@Fernando: We don’t currently plan to.
@Omar: Sorry, the exploit code is not going to be released (though the post contains enough information that you should be able to write your own).
nice papers! i have read all comments, but can send me one code of “exemplary private namespace”? thank you very much!
i used event object ,but cannot effects paged pool memery, only nonpaged pool.
thank for this paper. i have already exploit a software. it’s nice!
[…] na Windowsowy sterownik NTFS, który umożliwia podniesienie uprawnień. Opis tworzenia exploita tutaj. Microsoft obiecał naprawić go “w przyszłości” […]
[…] privileges (e.g. schools, universities, hostels). You can check out the full explanation of the bug here. Share this:TwitterFacebookLike this:LikeBe the first to like this. This entry was posted in Bugs, […]
[…] http://j00ru.vexillium.org/?p=1272 […]
[…] Hacker News http://j00ru.vexillium.org/?p=1272 This entry was posted in Uncategorized by admin. Bookmark the […]
[…] swojego znaleziska leży zddosowany swoją popularnością :)Jakby co, to w razie czego – http://j00ru.vexillium.org/?p=1272Podobne wpisy:Brak podobnych wpisów!Napisz Komentarz var […]
[…] can read the details about the exploit here. I Suggest you do read it. It is very […]
[…] http://j00ru.vexillium.org/?p=1272 Share this:TwitterFacebookLike this:LikeBe the first to like this. […]
Introducing the USB Stick of Death | j00ru//vx tech blog…
Two security researchers show a new vulnerability in the handling of the NTFS file format in Microsoft Windows 7. They accomplish a full system compromise. This vulnerability is unpatched yet, leaving room for plug-and-own exploits….
[…] j00ru//vx – Introducing the USB Stick of Death :: URL […]
[…] USB Stick of Death — very detailed internals walkthrough of how to simply insert a USB stick, have it automatically mounted by the operating system and immediately compromise it by triggering a vulnerability in ntfs.sys. […]
[…] http://j00ru.vexillium.org/?p=1272 0 comments » […]
[…] хакер Матеуш “j00ru” Юржик (Mateusz Jurczyk) написал отличный эксплойт для уязвимости в NTFS под Windows, которую нашёл его коллега […]
[…] хакер Матеуш “j00ru” Юржик (Mateusz Jurczyk) написал эксплойт для уязвимости в NTFS под Windows, которую нашёл его […]
[…] Introducing the USB Stick of Death […]
[…] details on the bug and exploit were available on both Coldwind’s and Jurczyk’s blogs. Also, you can see a video of the bug being exploited here: Windows 7 […]
[…] space, and to have full control of the code within a process. Editing the tagWND structure or the HAL Dispatch Table are two very common vectors, as are many […]
[…] Privilege escalation μέσω ενός NTFS formatted USB stick (USB Stick of Death) […]
[…] 为了达到这个目的，面临的另一个挑战就是，根据数据块的大小创建一个合理的动态内存分配布局，用于溢出的产生。如果已知数据块的大小，那么我们就可以没有更多限制的实现这个目的。然而，当我们处理固定掉的数据块（在该实例中为0×418字节），很难找到一个合适大小的对象导致堆溢出。想要克服该问题的人可以参考此处。 […]