“Nasty” Windows 10 bug corrupts hard drive just by looking at a malicious icon

Windows 10 users are urged to take further precautions as an unpatched zero-day vulnerability in the operating system allows threat actors to corrupt any NTFS1-formatted hard drives using a ONE LINE command that tries to access a certain place that lies in system files.

The issue was recently raised by the security researcher Jonas L who stated, in a tweet on January 9, 2021, that “There is a specially nasty vulnerability in NTFS right now” and that the exploit is “Triggerable by opening specially crafted name in any folder anywhere”. What’s even worse is that the vulnerability has existed in Windows 10 for three years without any patch although it was reported to Microsoft! as stated by members of the infosec community and Will Dormann, a vulnerability analyst at CERT Coordination Center.

Regarding the infected versions, Dormann also states in a tweet that “This problem seems to be introduced around the time of Windows 10 1803.” (the windows April 10, 2018 update)

In a statement by a windows user, older versions of Windows XP are also infected with this bug.

Exploitation

The bug is exploitable by running a one-line command that tries to access the $i30 NTFS attribute, also known as NTFS Index Attribute, that is attributed to directories, containing information about a directory’s files and subfolders, and even deleted/wiped files and folders.

The execution of the command instantly corrupts an NTFS-formatted hard drive, with Windows prompting the user to restart their computer and repair corrupted disk records. (as shown in the picture below)

If you want to see it in action, you can load up a Windows 10 virtual machine and execute the following command: “cd c:$i30:$bitmap” which will instantly corrupt the hard drive (WARNING: DO NOT TRY TO EXECUTE THIS ON YOUR OWN MACHINE, AS YOU ARE PUTTING YOUR HARD DRIVE AND DATA INTO RISK, AND WE DO NOT TAKE RESPONSIBILITY FOR ANY MISUSE/DATA LOSS).

However, the reason why accessing this particular location corrupts the hard drive remains unknown, as Jonas L states to BleepingComputer: “I have no idea why it corrupts stuff and it would be a lot of work to find out because the reg key that should BSOD on corruption does not work. So, I’ll leave it to the people with the source code”.

Nevertheless, it doesn’t stop here though, as researchers are finding more sophisticated ways to deploy this bug maliciously. In a finding by Jonas L, a Windows URL file (with the .url extension) with the path to its icon set to cd c:$i30:$bitmap would trigger the vulnerability and corrupt the hard drive when the user tries to access its containing folder even without opening the file!

This is because Windows Explorer would try to display the file’s icon, and hence will access the provided path- which is the offensive one- and hence trigger the bug.

In an attacking scenario, though, a malicious actor would use social engineering to convince a victim to download a ZIP archive containing the malicious file, and the bug will get triggered upon the extraction of the zip.

In addition, research has found that well-crafted HTML pages would also trigger the bug remotely, such as an HTML page embedding resources from shared networks or drives that point to the offending $i30 path, or in another scenario, an HTML file referencing to file:///C/:/:$i30:$bitmap, however, the attacker would need to take into consideration bypassing the same-origin policy to trigger the bug remotely.

On the bright side, though, BleepingComputer found in its testings to this bug’s exploitation that the chkdsk utility would repair the corrupted hard drive on reboot, replacing the content of the malicious file pointing to the $i30 path with empty bytes.

Windows 10 users currently need to pay attention and to not download and directly extract zip files from unknown/untrusted resources without making sure it’s 100% clear until Microsoft releases an update patching the bug, as stated by a spokesperson of the Seattle-based company that “We are aware of this issue and will provide an update in a future release.”

1NTFS: or NT File System, is a modern file system that Windows uses by default, as your hard drive will be formatted to the NTFS file system when installing the Windows operating system.

By Ahmed Gritli