Simple Command Craters Windows10 PCs Immediately: don't try it unless you have a backup and a bootable USB from which to restore it.
Recent Activity, Security, WED Blog, Windows 10

Simple Command Craters Windows10 PCs Immediately

Leave a comment

It’s not often you see a warning like the one in the lead-in graphic for this story. Indeed, executing a certain string at the command line will immediately crash a Windows 10 PC and render it unbootable. Before I go into details, I’m concerned that a simple command craters Windows10 PCs immediately. (Windows 8, 8.1, and XP are also reportedly affected, but not Windows 7.) Opportunities for malicious use are mind-boggling.

[Note: the lead-in graphic comes courtesy of Sergey Tkachenko at WinAero,com. He posted the story in which it appears Friday, January 15.]

It gets worse. That same string also corrupts any targeted NTFS volume in a URL (just a portion of that string in the address bar will do it). Furthermore, it works from inside a ZIP archive, an ISO, VHD, or VHDX file, too. I’m stunned!

I actually debated myself for days on whether or not to share this info. I finally concluded that the Windows community needs to know. It might arm bad actors with new ammunition. Hopefully, that danger is offset by the increased care it should cultivate in everyone else who learns about it.

What Simple Command Craters Windows10 PCs Immediately?

The command can occur in a file reference at the command line or in PowerShell. The simplest invocation is:

cd c:\:$i30:$bitmap

That’s it. Doesn’t look like much, does it? It can address other drive letters (in which case, it will corrupt them instead). C: is particularly dangerous because it’s the default volume where Windows and all of its necessary pieces and parts reside. Once the string is entered, an error message appears. It informs you that “The file or directory is corrupted and unreadable.” Windows will attempt repairs via Chkdsk upon restart, but it will not succeed.

According to Tkachenko:

…users have figured that it is enough to paste the above ‘:$i30’ string into the browser address bar.

to crater the C: drive. Not good!

Holy Moly! How does THIS work?

This exploit is based on the NTFS $i30 index attribute, which ties into filesystem directories and contains a list of its files and subfolders, and may include deleted items as well as active ones. If you search on “$i30 index attribute” or “NTFS $i30 attribute” you’ll see it’s well-known to computer forensics professionals. It’s also a critical part of the MFT (Master File Table) structures for NTFS. Nobody yet knows or understands why referencing it in a command, URL, or archived file structure is damaging.

According to Tkachenko, the security researcher who found this gotcha says:

I have no idea why it corrupts stuff and it would be a lot of work to find out because the reg key that should BSOD on corruption does not work. So, I’ll leave it to the people with the source code…

MS knows about this now and is reportedly working on a fix. This one should be a doozy, and should get fixed as quickly as they can manage it. In the meantime, watch out!

Do NOT try this at home (or at work, or anywhere else, either). If you simply have to try it, do it in a throwaway VM. Otherwise, cleanup will take time and effort, even if it’s just to restore a backup. As the man said “You have been warned.”

 

Facebooklinkedin
Facebooklinkedin

Leave a Reply

Your email address will not be published. Required fields are marked *