Vulnerability in Windows 10 Damages Hard Drive after Viewing a File
Vulnerability in Microsoft Windows 10 could allow attackers to damage an NTFS-formatted hard drive using a one-line command. A single line file can be hidden inside a Windows shortcut, zip archive, batch files, or various other vectors to cause hard drive errors, instantly damaging the file system index.
A security researcher using the pseudonym Jonas L drew attention to an unpatched vulnerability in NTFS affecting Windows 10. According to the expert, the vulnerability appeared in Windows 10 (Build 1803) and continues to exist in the latest version. In addition, the problem can be exploited by a regular user with low privileges on Windows 10 systems.
NTFS VULNERABILITY CRITICALITY UNDERESTIMATED— Jonas L (@jonasLyk) January 9, 2021
There is a specially nasty vulnerability in NTFS right now.
Triggerable by opening special crafted name in any folder anywhere.'
The vulnerability will instant pop up complaining about yuor harddrive is corrupted when path is opened pic.twitter.com/E0YqHQ369N
The drive can be damaged even if you just try to access the NTFS "$ i30" attribute in the folder in a certain way. The Windows NTFS index attribute (string "$ i30") is associated with directories and contains a list of files and subfolders of the directory. In some cases, the NTFS index can also include deleted files and folders, which is useful for incident response or forensics.
It remains unknown why access to this attribute damages the disk, but the registry key that would help diagnose the problem is not working.
After running the command in the Windows 10 command line and pressing Enter, the user will see the error message "The file or directory is corrupted and unreadable." Windows 10 will immediately start displaying notifications prompting the user to restart the computer and repair the damaged disk volume. When you reboot, the Windows Disk Check Utility starts and begins repairing the hard drive.
After the disks are damaged, Windows 10 will generate errors in the event log indicating that the master file table (MFT) for a particular disk contains a corrupted entry.
The expert also noted that the generated Windows shortcut file (.url) with the icon location set to "C: \: $ i30: $ bitmap" will exploit the vulnerability even if the user has never opened the file. Once this shortcut file is downloaded to Windows 10 PC and the user browses the folder it is in, Windows Explorer will try to display the file icon. To do this, Windows Explorer will try to access the generated icon path inside the file in the background, thereby damaging the NTFS hard drive in the process.