June 19, 2021

Windows 7 NTFS bug allows any user to get admin privileges

(LiveHacking.Com) – A pair of security researchers, Gynvael Coldwind and Mateusz “j00ru” Jurczyk, have found a low level bug in Windows 7 NTFS driver that allows anyone with physical access to a machine to escalate their privileges to Administrator. Like something out of a spy movie, the pair have crafted a specially formatted NTFS USB flash drive which, when Windows 7 mounts it, allows the local user to start a command prompt as Administrator.

The local elevation of privileges vulnerability is in ntfs.sys and is caused by a NULL pointer dereference. To explore the robust of the NTFS device driver, the pair used a bit-flipping fuzzer to see if they could reproduce any system crashes. After roughly 17 hours of fuzzing time on a single laptop they found the access violation.

From here Mateusz “j00ru” Jurczyk was able to exploit the bug and replace arbitrary kernel memory with arbitrary data. He then used a well known privilege escalation payload that is implemented using four official API functions to start a new command prompt as Administrator.

This exploit has two immediate consequences,

  1. Anybody with physical access to a Windows 7 machine can start a privileged  command prompt. Then all manner of actions can be taken including installing malware, keyloggers and network monitors or the Windows installation can be damaged. This means that all shared computers resources in libraries, schools, universities and even workplaces are vulnerable to this exploit.
  2. It also means that there are more bugs in the NTFS filesystem, which is complex and still largely unexplored. This could lead to new attack vectors for malware writers.
Microsoft was reportedly investigating a potential fix for “stability” purposes as it is considered a low level vulnerability due to the fact that physical access is need.

Technical details on the bug and exploit were available on both Coldwind’s and Jurczyk’s blogs. Also, you can see a video of the bug being exploited here: Windows 7 USB stick local+physical attack demo