Skip to content
{ 2012 10 21 }

(English) Introducing the USB Stick of Death

Ten post nie jest dostępny w języku polskim!

Posted by j00ru on niedziela, październik 21, 2012, at 09:00:13. Filed under exploitation, hacking, kernel, os internals, ring0, undocumented api, windows 7, windows vista, windows xp. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog.

{ 10 } Comments

  1. syka | 22-paź-12 at 04:09:16 | Permalink

    perfect!

  2. nobody | 22-paź-12 at 08:39:56 | Permalink

    This reminds me of a bluescreen I encountered in the FAT driver several years ago – I was playing with RockBox on my MP3 player, taking screenshots, but when I tried to view the pictures on my computer, Windows always BSODed when trying to open the second picture. Turned out that RockBox didn’t write short file names properly – while the screenshots had different long names, they all had the same short name, which caused Windows to BSOD.

  3. Catalin Teodorescu | 22-paź-12 at 12:57:59 | Permalink

    Can I get a link for the source or binaries of this software ? I would really enjoy testing it a bit :)

  4. Deepak Jagtap | 22-paź-12 at 21:39:15 | Permalink

    Really awesome..!
    can i get software link to download and use it?

  5. j00ru | 23-paź-12 at 11:41:46 | Permalink

    @syka: Thanks :P

    @nobody: Huh, that’s really quite interesting. What was the operating system edition, and are you sure that the problem that triggered the BSoD was the inconsistency in short/long filenames? I’d be really interesting to have a closer look into this :)

    @Catalin Teodorescu, Deepak Jagtap: Thanks. As outlined in the blog post, it was only released as a Windows kernel exploitation case study with the bug being used for demonstrative purposes only; it is not a full-disclosure post. Therefore, the file-system image / exploit executable will not be publicly released.

  6. Andrea | 26-paź-12 at 01:33:00 | Permalink

    Very interesting pubblication. The only thing that I don’t understand is how you can be able to modify NodeType of target volume SCB. Indeed it should be different from 0×702 to render system to dereference a NULL pointer…

    Thanks!

  7. nobody | 27-paź-12 at 12:19:41 | Permalink

    IIRC, I was running either Windows 2003 or XP x64 at the time (according to my IRC logs, it happened in November 2005; I think I also reproduced the BSOD on plain XP). The crash was completely reproducible – you could access the first file without any problems, but when you tried accessing the second one, Windows BSODed in fastfat.sys.

    The problem wasn’t in the inconsistency of long/short filename – the problem was that RockBox created screenshots where each file had identical short filename (even though long filenames were different). chkdsk fixed the problem.

  8. Fernando | 27-paź-12 at 12:51:21 | Permalink

    Do you plan to share what tools did you use for filesystem fuzzing?

  9. Omar | 13-lis-12 at 12:52:56 | Permalink

    Do you mind sharing the link to download the exploit ?

  10. j00ru | 26-lis-12 at 02:12:11 | Permalink

    @Andrea: It’s specific to the malformed structure of the NTFS volume. I cannot really share more details :)

    @nobody: I’ll try to look into this in the future ;)

    @Fernando: We don’t currently plan to.

    @Omar: Sorry, the exploit code is not going to be released (though the post contains enough information that you should be able to write your own).

{ 16 } Trackbacks

  1. » * USB śmierci -- Niebezpiecznik.pl -- | 2012-10-21 at 09:00:13 | Permalink

    [...] na Windowsowy sterownik NTFS, który umożliwia podniesienie uprawnień. Opis tworzenia exploita tutaj. Microsoft obiecał naprawić go “w przyszłości” [...]

  2. USB Stick of Death | ctrlaltnarwhal | 2012-10-21 at 09:00:13 | Permalink

    [...] privileges (e.g. schools, universities, hostels). You can check out the full explanation of the bug here. Share this:TwitterFacebookLike this:LikeBe the first to like this. This entry was posted in Bugs, [...]

  3. Indagadores |Seguridad informatica |Seguridad en internet » Elevación local de privilegios en Windows explotando una vulnerabilidad USB | 2012-10-21 at 09:00:13 | Permalink

    [...] http://j00ru.vexillium.org/?p=1272 [...]

  4. Introducing the USB Stick of Death | My Daily Feeds | 2012-10-21 at 09:00:13 | Permalink

    [...] Hacker News http://j00ru.vexillium.org/?p=1272 This entry was posted in Uncategorized by admin. Bookmark the [...]

  5. Security News » USB Śmierci | 2012-10-21 at 09:00:13 | Permalink

    [...] swojego znaleziska leży zddosowany swoją popularnością  :)Jakby co, to w razie czego – http://j00ru.vexillium.org/?p=1272Podobne wpisy:Brak podobnych wpisów!Napisz Komentarz var [...]

  6. USB Stick of Death: Not Really Low Severity | 2012-10-21 at 09:00:13 | Permalink

    [...] can read the details about the exploit here. I Suggest you do read it. It is very [...]

  7. Elevation in Microsoft Windows « MALWARELIST INFORMATION ABOUT VIRUSES | 2012-10-21 at 09:00:13 | Permalink

    [...] http://j00ru.vexillium.org/?p=1272 Share this:TwitterFacebookLike this:LikeBe the first to like this. [...]

  8. 92.103.37.4/www/watch | 2012-10-21 at 09:00:13 | Permalink

    Introducing the USB Stick of Death | j00ru//vx tech blog…

    Two security researchers show a new vulnerability in the handling of the NTFS file format in Microsoft Windows 7. They accomplish a full system compromise. This vulnerability is unpatched yet, leaving room for plug-and-own exploits….

  9. Security By-Pass :: Introducing the USB Stick of Death – Scientia est potentia | 2012-10-21 at 09:00:13 | Permalink

    [...] j00ru//vx – Introducing the USB Stick of Death :: URL [...]

  10. Four short links: 23 October 2012 - O'Reilly Radar | 2012-10-21 at 09:00:13 | Permalink

    [...] USB Stick of Death — very detailed internals walkthrough of how to simply insert a USB stick, have it automatically mounted by the operating system and immediately compromise it by triggering a vulnerability in ntfs.sys. [...]

  11. Local privilege escalation on Windows exploiting a USB vulnerability | Bytes Magazine | 2012-10-21 at 09:00:13 | Permalink

    [...] http://j00ru.vexillium.org/?p=1272 0 comments » [...]

  12. «Смертельная» USB-флэшка | RIS | 2012-10-21 at 09:00:13 | Permalink

    [...] хакер Матеуш “j00ru” Юржик (Mateusz Jurczyk) написал отличный эксплойт для уязвимости в NTFS под Windows, которую нашёл его коллега [...]

  13. Смертельная флэшка или почти критическая уязвимость Windows 7 | S3R | 2012-10-21 at 09:00:13 | Permalink

    [...] хакер Матеуш “j00ru” Юржик (Mateusz Jurczyk) написал эксплойт для уязвимости в NTFS под Windows, которую нашёл его [...]

  14. Смертельная флешка или почти критическая уязвимость Windows 7 | S3R | 2012-10-21 at 09:00:13 | Permalink

    [...] хакер Матеуш “j00ru” Юржик (Mateusz Jurczyk) написал эксплойт для уязвимости в NTFS под Windows, которую нашёл его [...]

  15. Weekend Consumption 28102012 | Fiberoverethernet.com | 2012-10-21 at 09:00:13 | Permalink

    [...] Introducing the USB Stick of Death [...]

  16. Windows 7 NTFS bug allows any user to get admin privileges | LIVE HACKING | 2012-10-21 at 09:00:13 | Permalink

    [...] details on the bug and exploit were available on both Coldwind’s and Jurczyk’s blogs. Also, you can see a video of the bug being exploited here: Windows 7 [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *