Hey Checkyourlogs Fans,
Here’s a really quick post on a Zero-Day Exploit that we are tracking in Server 2019 and Windows 10 right now. Per the article at bleeping computer Windows 10 bug corrupts your hard drive on seeing this file’s icon (bleepingcomputer.com), and I quote: “An unpatched zero-day in Microsoft Windows 10 allows attacks to corrupt an NTFS-formatted hard drive with one-line command.
In multiple tests by Bleeping Computer, this one liner can be delivered inside a Windows Shortcut file, a ZIP Archive, batch files, or various other vectors to trigger hard drive errors that corrupt the filesystem index instantly.”
To further this and simplify what they have said, here is what we have found out. On any system, even currently patched ones, you can open a command prompt as a standard user (NO Rights) and execute the following cd c:\:$i30$bitmap. This will return the following message “The File or Directory is corrupted and unreadable.”
Then a few minutes later, you will see the following message appear from Security and Maintenance on Server 2019. Restart to repair drive errors. If you don’t wait a few minutes, you will just get a check disk on the next reboot.
Here is what the reboot looks like.
I have tested this, and in certain cases, I was locked out to a Startup Recovery Screen.
I can’t tell you how bad this would be for Citrix, RDSH, WVD or other multi-session environments. Image this on a Windows Virtual Desktop running in Azure where the system, when rebooted, goes to a Startup Recovery screen. There aren’t any agents to communicate within here, and the system would show as down. I suppose a hard reboot might fix this, but many of us that have been around for a while know that persistent check disks are not healthy for an NTFS file system.
The event ID 100 in the Microsoft-Windows-NTFS-WHC log shows that the NTFS Global Corruption action state is now 7.
Upon reboot and check disk, it returns to this value of 0.
As of the time of writing this, there is not a fix for this, and I suggest you and your security teams immediately do some more research into this problem.
What I think can be done for Server 2019 is create a rule in your monitoring systems to alert when the NTFS Event ID 100 returns a value of “NTFS global corruption action state is now 7″.
At least you can tell which systems might already be impacted. I focus on Server platforms, but this obviously impacts current releases of Windows 10. The same type of monitoring can be run there to see if a threat actor is trying to take advantage of this or not.
I hope you enjoyed the read and best of luck. Feel free to comment or reach out to me on Twitter @DaveKawula.