Windows 10: Windows 10 Bug That Can Corrupt Hard Drives

Discus and support Windows 10 Bug That Can Corrupt Hard Drives in Windows 10 BSOD Crashes and Debugging to solve the problem; Currently, we have seen an unpatched zero day exploit in which allows attackers to corrupt an NTFS-formatted hard drive with a one line command. In... Discussion in 'Windows 10 BSOD Crashes and Debugging' started by harryhazelCWOA, Jan 14, 2021 at 1:02 PM.

  1. Windows 10 Bug That Can Corrupt Hard Drives


    Currently, we have seen an unpatched zero day exploit in which allows attackers to corrupt an NTFS-formatted hard drive with a one line command.
    In multiple tests, this one liner can be delivered hidden inside a Windows shortcut file, a ZIP archive, batch files, or various other vectors to trigger hard drive errors that corrupt the filesystem index instantly.

    In August 2020, October 2020, and finally this week, infosec researcher Jonas L drew attention to an NTFS vulnerability impacting Windows 10 that has not been fixed.
    When exploited, this vulnerability can be triggered by a single-line command to instantly corrupt an NTFS-formatted hard drive, with Windows prompting the user to restart their computer to repair the corrupted disk records.

    The flaw became exploitable starting around Windows 10 build 1803, the Windows 10 April 2018 Update, and continues to work in 1809, 1903, 1909, 2004 and 20H2.

    What's worse is, the vulnerability can be triggered by standard and low privileged user accounts on Windows 10 systems.

    The twitter link is listed below:
    https://twitter.com/jonasLyk/status/1347900440000811010
    A drive can become corrupted by merely trying to access the $i30 NTFS attribute on a folder in a certain way.
    *WARNING* Ex
    ecuting the below command on a live system will corrupt the drive and possibly make it inaccessible. ONLY test this command in a virtual machine that you can restore to an earlier snapshot if the drive becomes corrupted. *WARNING*
    An example command that corrupts a drive is shown below. cd c:\:$i30:$bitmap



    The Windows NTFS Index Attribute, or '$i30' string, is an NTFS attribute associated with directories that contains a list of a directory's files and subfolders. In some cases, the NTFS Index can also include deleted files and folders, which comes in handy when conducting an incident response or forensics.

    It is unclear why accessing this attribute corrupts the drive, and Jonas told BleepingComputer that a Registry key that would help diagnose the issue if it doesn't work.

    'I have no idea why it corrupts stuff and it would be a lot of work to find out because the reg key that should BSOD on corruption does not work. So, I'll leave it to the people with the source code,' Jonas told.
    After running the command in the Windows 10 command prompt and hitting Enter, the user will see an error message stating, "The file or directory is corrupted and unreadable."

    Windows 10 will immediately begin displaying notifications prompting the user to restart their PC and repair the corrupted disk volume. On reboot,
    the Windows check disk utility runs and starts repairing the hard drive, as demonstrated in the video below.After the drives become corrupted, Windows 10 will generate errors in the Event Log stating that the Master File Table MFT for the particular drive contains a corrupted record.

    Tests also show that you can use this command on any drive, not only the C: drive and that drive will subsequently become corrupted.


    More sophisticated ways to exploit the zero-day
    In tests, threat actors can use the command maliciously in various PoC exploits.
    One striking finding shared by Jonas with us was that a crafted Windows shortcut file .url that had its icon location set to C:\:$i30:$bitmap would trigger the vulnerability even if the user never opened the file!

    As observed, as soon as this shortcut file is downloaded on a Windows 10 PC, and the user views the folder it is present in, Windows Explorer will attempt to display the file's icon.

    To do this, Windows Explorer would attempt to access the crafted icon path inside the file in the background, thereby corrupting the NTFS hard drive in the process.

    Next, "restart to repair hard drive" notifications start popping up on the Windows PC—all this without the user even having opened or double-clicked on the shortcut file.

    Delivering payload via ZIP archives, HTML files, and various means
    Creative attackers can also deliver this payload in a variety of ways to the victim.

    While the same-origin policy on most browsers would limit such attacks being served from a remote server e.g., a remote HTML document referencing file:///C:/:$i30:$bitmap, creative means exist to work around such restrictions.

    The researcher briefly stated that other vectors could be used to trigger this exploit remotely, such as via crafted HTML pages that embed resources from network shares or shared drives that have references to the offending $i30 path. In some cases, according to the researcher, it is possible to corrupt the NTFS Master File Table MFT.

    During research, they came across a caveat.

    In some tests, after the Windows 10 chkdsk utility had "repaired" the hard drive errors on reboot, the contents of the exploit file, in this case, the crafted Windows shortcut with its icon set to C:\:$i30:$bitmap would be cleared and replaced with empty bytes.

    Windows 10 Bug That Can Corrupt Hard Drives 85b1067d-3eb9-45c4-a67b-4ebf2f4eaf93?upload=true.jpg This means the crafted Windows shortcut file was enough to pull a one-off attack if this happens.


    Besides, a victim is not likely to download a Windows shortcut .url file from the internet.

    To make the attack more realistic and persistent, attackers could trick users into downloading a ZIP archive to deliver the crafted file.

    An attacker can, for example, sneak in their malicious Windows shortcut file with a large number of legitimate files inside a ZIP archive.

    Not only is a user more likely to download a ZIP file, but the ZIP file is likely to trigger the exploit every single time it is extracted.

    This is because the compressed and possibly encrypted contents of the ZIP file, including the Windows shortcut, would not trigger the exploit unless extracted.

    And even when extracted, the hard drive repairing process would empty the extracted Windows shortcut file without touching the compressed copy present inside the ZIP archive until the user attempts to re-extract the ZIP.

    According to sources in the infosec community, serious vulnerabilities like these have been known for years and reported to Microsoft earlier but remain unpatched.




    :)
     
    harryhazelCWOA, Jan 14, 2021 at 1:02 PM
    #1

  2. CANNOT DELETE A CORRUPTED FILE ON MY EXTERNAL HARD DRIVE ON WINDOWS 10

    Hi Leenus,

    Hard drive and other external memory storage can be corrupted on account of bad sectors which are no longer accessible or writable due to permanent damage. Your device or hard drive could also be infected by some type of malware. These are some of the possible
    causes why you are experiencing the error "ERROR 0x80070570: The file or directory is corrupted or unreadable". To address this concern, we suggest performing the following troubleshooting methods:

    Method 1

    Check and repair disk errors or corrupted file system. This process can fix "The file or directory is corrupted and unreadable" error caused by bad sectors, virus infection or file system corruption. To do so, follow these steps:

    • Back up all of the files on the hard drive (except for the corrupted file).
    • Using Search, type CMD.
    • From the search results, right-click on Command Prompt and then choose Run as administrator.
    • On the Command Prompt window, type chkdsk /f h: (h stands for your hard drive) and then hit the Enter key.
    • Delete the corrupted file and check if you'll experience the same error.

    Method 2

    Format the hard drive. You can manually format the hard drive to permanently remove "The file or directory is corrupted and unreadable" error. These are the steps on how to format an external drive:

    • Plug the hard drive into your computer.
    • Back up all of the files on the hard drive (except for the corrupted file).
    • Open File Explorer and then click This PC.
    • Click the external hard drive's name, click on Manage tab and then click on Format.
    • Click Start and then click OK.

    Keep us updated with the result.
     
  3. CANNOT DELETE A CORRUPTED FILE ON MY EXTERNAL HARD DRIVE ON WINDOWS 10

    I had the very same problem and this worked perfectly!!!
     
  4. Windows 10 Bug That Can Corrupt Hard Drives

Thema:

Windows 10 Bug That Can Corrupt Hard Drives

Loading...
  1. Windows 10 Bug That Can Corrupt Hard Drives - Similar Threads - Bug Corrupt Hard

  2. Corrupted hard drive

    in Windows 10 Network and Sharing
    Corrupted hard drive: Hello I had a hard drive go out on me. It says "The file or Directory is corrupted and unreadable". I tried restarting the computer and using "chkdsk x: /f /r" But it didn't work. some of the the results are: 89600 file records processed. File verification completed....
  3. Hard Drives corruption and errors

    in Windows 10 Network and Sharing
    Hard Drives corruption and errors: So I had my computer unused for about a year it having two harddrives one HDD one SSD the ladder having the operating system. After starting it up again two days ago everything worked like it used to I had restarted it many times that day so it wasn't a hardware issue. But...
  4. corrupted hard drive

    in Windows 10 Installation and Upgrade
    corrupted hard drive: I was told I had a corrupted hard drive and so I bought an ssd drive to replace it. now I cant get windows to down load or to read anything on the pc. It says that I have 2 hard drives both new WD2t. and a Samsung 256gb ssd. but will not let me load windows onto either of...
  5. Corrupted Hard Drive

    in Windows 10 Network and Sharing
    Corrupted Hard Drive: How do you reformat a corrected hard drive? https://answers.microsoft.com/en-us/windows/forum/all/corrupted-hard-drive/b4812ab5-d725-4cac-9aaf-8a1b884873f8
  6. Can you fix corrupt files on external hard drive?

    in Windows 10 Performance & Maintenance
    Can you fix corrupt files on external hard drive?: I stupidly moved instead of copied about 50 GB of videos and documents to an external hard drive. Everything was in one folder and I just moved it and went away from the computer for an hour or so figuring it would take a while. When I tried to look and make sure everything...
  7. Can you fix corrupt files on external hard drive?

    in Windows 10 Support
    Can you fix corrupt files on external hard drive?: I stupidly moved instead of copied about 50 GB of videos and documents to an external hard drive. Everything was in one folder and I just moved it and went away from the computer for an hour or so figuring it would take a while. When I tried to look and make sure everything...
  8. Installing Windows 10 corrupts the hard drive

    in Windows 10 Drivers and Hardware
    Installing Windows 10 corrupts the hard drive: I am working on on an ASUS X555LAB laptop that began booting to BIOS every time it was started. It also ran slowly and was buggy. Following a clean installation of Windows 10 it initially ran well but after a few smooth re-boots and Windows 10 updates as well as driver...
  9. Hard Drive Corruption.

    in Windows 10 BSOD Crashes and Debugging
    Hard Drive Corruption.: Hi everyone, my machine improper shut downs, many times and hard closing programs. I was looking for solutions and I found out one by check disk. Can you tell me how can I do that? Thanks...
  10. Corrupted hard drives

    in Windows 10 Drivers and Hardware
    Corrupted hard drives: Hi I am sure this has been covered elsewhere but I can't find it. My external drives were set to 'turn off write-cache' and we had a black out. The result is a 3 Tb Seagate external drive, a 2 Tb Seagate external drive, and a 500 Gb portable drive are no longer seen by...