A malicious USB stick could trigger BSOD on locked Windows PCs

A malicious USB stick could trigger BSOD on locked Windows PCs

Rogue code on USB triggers BSOD on Windows PCs, even when it’s locked

Marius Tivadar, a malware researcher from BitDefender, a cybersecurity and anti-virus software program firm, has revealed a proof-of-concept (PoC) code on GitHub that may trigger the dreaded Blue Screen of Death (BSOD) and crash the Windows machines inside seconds, even when the system is locked.

According to Tivadar, the code exploits the vulnerability in Microsoft’s dealing with of NTFS (New Technology File System) pictures that may trigger a blue display screen of demise.

Explaining the PoC code on GitHub, Tivadar said, “One can generate Blue Screen of Death using a handcrafted NTFS image. This denial-of-service type of attack can be driven from user mode, limited user account or Administrator. It can even crash the system if it is in locked state.”

The malware researcher’s PoC contained a malformed NTFS picture, which was saved on an USB thumb drive, which when inserted in a Windows PC crashed the system inside seconds.

“Auto-play is activated by default,” Tivadar wrote in a PDF accompanying the POC’s GitHub project that detailed the bug and its impact.

“Even with auto-play [is] disabled, [the] system will crash when the file is accessed. This can be done for [example,] when Windows Defender scans the USB stick, or any other tool opening it.”

Autoplay, which is enabled by default in all variations of Windows, is the foundation of the issue right here. Disabling Autoplay can stop the NTFS picture from routinely crashing Windows techniques, however manually opening it has the identical outcome.

According to Tivadar, the auto-play habits must be modified largely so it wouldn’t work if the Windows field was locked because the code runs with out consumer consent.

“Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine. I may think [of] this as code [that] gets executed without user consent,” he stated.

He additionally steered that an attacker may make adjustments to the PoC and add malware, triggering the crash remotely and opening “thousands of possible scenarios.”

Tivadar had reported the DoS (denial-of-service) assault to Microsoft in July 2017 and included the faux 10MB NTFS picture that was in a position to crash Windows 7 and Windows 10 techniques together with a PoC video.

Microsoft had responded to Tivadar’s PoC by saying, “Your report requires either physical access or social engineering, and as such, does not meet the bar for servicing down-level (issuing a security patch).”

According to Tivadar, when the vulnerability was disclosed, Microsoft stated it didn’t need to assign a CVE to it. It did, nevertheless, write, “Your attempt to responsibly disclose a potential security issue is appreciated and we hope you continue to do so.”

Disappointed over Microsoft’s response, Tivadar revealed his NTFS picture on GitHub just lately. However, Microsoft is reported to have issued a repair for the Windows 10 vulnerability.

Source: Bleeping Computer


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.