USB Sticks Can Trigger BSOD – Even on a Locked Device

[J.C]

Via threatpost.com

 

A proof of concept for easily generating the blue screen of death (BSOD) on Windows devices has been released, along with a video demonstrating that the denial-of-service effect can take place even if the device is locked.

 

Using a handcrafted image of a Windows NT file system (NTFS) loaded onto a USB stick, it’s possible to crash the system by simply inserting the drive into the USB port, no further user interaction necessary (as this pair of videos shows).

 

“Auto-play is activated by default, this leads to automatically crashing the system when [the] USB stick is inserted,” said Bitdefender researcher Marius Tivadar, in a post on GitHub from late last week exposing the problem and the PoC. “Even with auto-play disabled, system will crash when the file is accessed. This can be done…when Windows Defender scans the USB stick [even when locked], or any other tool opening it. If none the above, finally, if the user clicks on the file, system will crash.”

 

Further, he added that while his own PoC requires physical access to the device with a USB stick, it’s possible to code the attack into malware that could be delivered remotely via spam campaigns or even drive-by downloads.

 

“If this kind of crash was exploitable, and attacker could load malware even if the system is locked, [and] this could open thousands of possible scenarios,” he said in the supporting materials for the PoC. “Of course, it is not necessary to have an USB stick. A malware for example could drop a tiny NTFS image and mount it somehow, thus triggering the crash.”

 

He said that all three systems he tested were affected: Windows 7 Enterprise 6.1.7601 SP1, Build 7601 x64; Windows 10 Pro 10.0.15063, Build 15063 x64; and Windows 10 Enterprise Evaluation Insider Preview 10.0.16215, Build 16215 x64.

 

For Microsoft’s part, he said that its security team seemed uninterested when he reached out to the software giant with the problem.

“Reported to Microsoft on July 2017, they did not want to assign CVE for it nor even to write me when they fixed it,” said Tivadar, who discovered the issue last summer. In his GitHub posting, he reprinted an email that he said was from the Microsoft team, which read, “Hey Marius, your report requires either physical access or social engineering, and as such, does not meet the bar for servicing down-level (issuing a security patch)…Your attempt to responsibly disclose a potential security issue is appreciated and we hope you continue to do so.”

 

Microsoft offered a short statement in response to our request for comment: “The technique described requires authenticated access to a machine. We encourage customers to always use security best practices, including securing work stations and avoiding leaving laptops and computers unattended.”

 

Tivadar said that he believes the problem is genuinely worthy of concern. “I strongly believe that this behavior should be changed…Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine. I may think [of] this as code [that] gets executed without user consent.”

[straycat19]

Most problems encountered in Windows is not the result of the software but of the user.  I have proven that a thousand times over with systems that are running Windows 7 SP1 and not one update installed on them.  Some of them have been running since SP1 was released and we did a fresh install.  No malware, not hacked, just merrily computing data every day.  The key is the security setup on the systems and the skill of the users.  Security conscious users are worth more than all the patches Microsoft has ever released for an operating system.  I have seen people fired for visiting a website or clicking on an email link and infecting their computer or the network.  Most businesses have adopted that stance in the last 20 years.  I saw 5 reporters, and a managing editor, fired for infecting their MacOSX workstations and servers with malware that infected Microsoft doc files.   And another business sued the person after she were fired to recoup the cost of having her system cleaned.  

 

All the exploits that have ever been found rely on a user doing something that they should not be doing and/or an organization without good security practices in place to protect their systems.  Having autoplay enabled systems is just one of those things.

[steven36]

10 hours ago, straycat19 said:

Most problems encountered in Windows is not the result of the software but of the user.  I have proven that a thousand times over with systems that are running Windows 7 SP1 and not one update installed on them.  Some of them have been running since SP1 was released and we did a fresh install.  No malware, not hacked, just merrily computing data every day.  The key is the security setup on the systems and the skill of the users.  Security conscious users are worth more than all the patches Microsoft has ever released for an operating system.  I have seen people fired for visiting a website or clicking on an email link and infecting their computer or the network.  Most businesses have adopted that stance in the last 20 years.  I saw 5 reporters, and a managing editor, fired for infecting their MacOSX workstations and servers with malware that infected Microsoft doc files.   And another business sued the person after she were fired to recoup the cost of having her system cleaned.  

 

All the exploits that have ever been found rely on a user doing something that they should not be doing and/or an organization without good security practices in place to protect their systems.  Having autoplay enabled systems is just one of those things.

Man you got way off topic . How did a topic about BSOD  become about exploits ?     

Any faultily device plugged into a USB can cause BSOD , I seen some antivirus cause BSOD because you installed some other software it was not compatible  with . It was quite conman with Kaspersky  back when everyone used antispyware programs for a extra layer of protection . Also windows updates are known to cause them ,  Windows Visa -Windows 10 forums all  have sub forums dedicated to BSOD Crashes and Debugging  with thousands of topics and most people  who visit such forums are not normal users who would take a PC to the shop there technically inclined enough  to trouble shoot and fix it for themselves . I had Windows 8.1 to BSOD  as soon as I installed it before . Nothing you say is any good advice to prevent BSOD from happening .