From: Virus Guy 

While unnecessarily full-quoting a previous post, Shadow wrote:

> 	Or con con
> 
> http://outpost9.com/exploits/unsorted/01-scx-sa-01.txt

In a throwback to the '90s, NTFS bug lets anyone hang or crash Windows 
7, 8.1

It's like the c:\con\con bug all over again.

Peter Bright - May 25, 2017 9:45 pm UTC

Those of you with long memories might remember one of the more amusing 
(or perhaps annoying) bugs of the Windows 95 and 98 era: certain 
specially crafted filenames could make the operating system crash. 
Malicious users could use this to attack other people's machines by 
using one of the special filenames as an image source; the browser would 
try to access the bad file, and Windows would promptly fall over.

It turns out that Windows 7 and 8.1 (and Windows Vista, but that's out 
of support anyway) have a similar kind of bug. They can be taken 
advantage of in the same kind of way: certain bad filenames make the 
system lock up or occasionally crash with a blue screen of death, and 
malicious webpages can embed those filenames by using them as image 
sources. If you visit such a page (in any browser), your PC will hang 
shortly after and possibly crash outright.

The Windows 9x-era bug was due to an error in the way that operating 
systems handled special filenames. Windows has a number of filenames 
that are "special" because they don't correspond to any actual file; 
instead, they represent hardware devices. These special filenames can be 
accessed from any location in the file system, even though they don't 
exist on-disk.

While any of these special filenames would have worked, the most common 
one used to crash old Windows machines was con, a special filename that 
represents the physical console: the keyboard (for input) and the screen 
(for output). Windows correctly handled simple attempts to access the 
con device, but a filename included two references to the special 
device—for example, c:\con\con—then Windows would crash. If that file 
was referenced from a webpage, for example, by trying to load an image 
from file:///c:/con/con then the machine would crash whenever the 
malicious page was accessed.

The new bug, which fortunately doesn't appear to afflict Windows 10, 
uses another special filename. This time around, the special filename of 
choice is $MFT. $MFT is the name given to one of the special metadata 
files that are used by Windows' NTFS filesystem. The file exists in the 
root directory of each NTFS volume, but the NTFS driver handles it in 
special ways, and it's hidden from view and inaccessible to most 
software. Attempts to open the file are normally blocked, but in a move 
reminiscent of the Windows 9x flaw, if the filename is used as if it 
were a directory name—for example, trying to open the file 
c:\$MFT\123—then the NTFS driver takes out a lock on the file and never 
releases it. Every subsequent operation sits around waiting for the lock 
to be released.Forever. This blocks any and all other attempts to access 
the file system, and so every program will start to hang, rendering the 
machine unusable until it is rebooted.

As was the case nearly 20 years ago, webpages that use the bad filename 
in, for example, an image source will provoke the bug and make the 
machine stop responding. Depending on what the machine is doing 
concurrently, it will sometimes blue screen. Either way, you're going to 
need to reboot it to recover. Some browsers will block attempts to 
access these local resources, but Internet Explorer, for example, will 
merrily try to access the bad file.

We couldn't immediately cause the same thing to occur remotely (for 
example, by sending IIS a request for a bad filename), but it wouldn't 
immediately surprise us if certain configurations or trickery were 
enough to cause the same problem.

Microsoft has been informed, but at the time of publication has not told 
us when or if the problem will be patched.
--- NewsGate v1.0 gamma 2