| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.3 | $5k-$25k | 0.00 |
A vulnerability was found in Microsoft Windows (Operating System) (the affected version is unknown). It has been declared as problematic. Affected by this vulnerability is the function Ntfs!PushIndexRoot of the component Master File Table. The manipulation with an unknown input leads to a denial of service vulnerability (Blue Screen). The CWE definition for the vulnerability is CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. As an impact it is known to affect availability.
The weakness was shared 10/24/2019 by Stéfan Le Berre as NTFS 0day in MFT parsing as not defined paper (Website). The advisory is shared at exatrack.com. The vendor cooperated in the coordination of the public release. An attack has to be approached locally. A single authentication is needed for exploitation. Technical details are known, but no exploit is available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 10/25/2019). The advisory points out:
The vulnerability may be triggered by the addition of a new file into a directory. More specifically the field $INDEX_ROOT. This field contains the list of files included into the directory.
The vulnerability was handled as a non-public zero-day exploit for at least 130 days. During that time the estimated underground price was around $5k-$25k. The advisory illustrates:
At the 0x30 offset is located the first entry, here its value is 0x10. It represents the relative offset of the directory’s first file. Its default value is always 0x10, but may be manually modified to point on the second file entry. To do so we have to modify this value with 0xe0. So we end up with a smaller file list than really contained files. Normally, it should be fine, excepted if all the MFT is used and we try to add a new file. In this case the field $INDEX_ROOT must be transformed form “resident” to “not resident”. Thus, the system must allocate a free space in the partition.
The problem might be mitigated by replacing the product with as an alternative.
Product
Type
Vendor
Name
License
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.5VulDB Meta Temp Score: 5.3
VulDB Base Score: 5.5
VulDB Temp Score: 5.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Name: Blue ScreenClass: Denial of service / Blue Screen
CWE: CWE-404
ATT&CK: Unknown
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: AlternativeStatus: 🔍
0-Day Time: 🔍
Timeline
06/16/2019 🔍08/09/2019 🔍
10/24/2019 🔍
10/25/2019 🔍
10/25/2019 🔍
Sources
Vendor: microsoft.comProduct: microsoft.com
Advisory: NTFS 0day in MFT parsing
Researcher: Stéfan Le Berre
Status: Not defined
Coordinated: 🔍
Entry
Created: 10/25/2019 09:39Updated: 10/25/2019 09:44
Changes: 10/25/2019 09:39 (50), 10/25/2019 09:44 (2)
Complete: 🔍
Submitter: misc
Submit
Accepted
- Submit #108: Microsoft Windows NTFS Master File Table Integer Overflow leads to BSOD (by misc)
No comments yet. Languages: en.
Please log in to comment.