So I’ve just had a quick play with this and yes, it works.
-
I think my prior toot on NightmareEclipse auto deleted so to make a perm one - it isn’t me. I suspect it’s somebody who used to work at MSFT, who departed after my era.
For anybody looking at this, testing showed two things:
- TPM unlocked the storage
- it provides a login bypass, as you’re dumped as SYSTEM prior to Windows Hello or password loginBitLocker operates without a PIN by default so it’s basically a big gap, it’s unclear how this code made it into the production version of Windows.
-
For anybody looking at this, testing showed two things:
- TPM unlocked the storage
- it provides a login bypass, as you’re dumped as SYSTEM prior to Windows Hello or password loginBitLocker operates without a PIN by default so it’s basically a big gap, it’s unclear how this code made it into the production version of Windows.
I should point out I’ve only tested with one version of Windows 11 - maybe the scope is smaller.
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog I'd be highly surprised if it didn't have a backdoor. Microsoft is not a company you should trust -
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
I was worried I'd run out of tools that do not require opening a computer/laptop case, now that Microsoft's planning to patch Bitpixie this year.
But Windows is a gift that just keeps on giving
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog I always assumed anything that could unlock an encrypted drive with no password or other authentication from the user could be bypassed. I figured if you don't have to enter a password, you have to assume that neither does anybody else.
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog hi just out of curiosity why would a bios password help / be required? is that only for if pcr7 isn't bound?
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
-
@tanavit @GossiTheDog
Haha oui j'ai vu passer ça, ainsi qu'une faille RCE dans Word. -
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog why is Microsoft so lazy when it comes to developing mission critical software
-
@mkoek @GossiTheDog you can also usually get the same general result in this config by poking the motherboard with a logic analyser and dumping the TPM data off the bus.
@gsuberland @mkoek @GossiTheDog Unless Microsoft made another mistake this shouldn't be possible. Accessing disk encryption keys should always use what is called a "salted session", where the communication between TPM and application is encrypted, precisely to prevent passive attacks on the bus.
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@drm Plus besoin de s'embêter à faire du TPM sniffing
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog thanks God i can recover an Old ssd whose bitlocker key is somewhere in the short-circuited mainboard Something Something Secure Module and I happen to not have a backup of that specific bitlocker key
-
@drm Plus besoin de s'embêter à faire du TPM sniffing
@S1m @GossiTheDog testé hier par un collègue, ça marche bien ! Mais ça va être rapidement patché...
-
@S1m @GossiTheDog testé hier par un collègue, ça marche bien ! Mais ça va être rapidement patché...
@drm @GossiTheDog Toujours à la pointe les collègues. C'est pas un patch qui nécessite une mise à jour des certifs secureboot ça ? Le genre de mise à jour qui est toujours retardée
-
@drm @GossiTheDog Toujours à la pointe les collègues. C'est pas un patch qui nécessite une mise à jour des certifs secureboot ça ? Le genre de mise à jour qui est toujours retardée
@S1m @GossiTheDog
. Je crois que tu confonds avec cette vuln https://github.com/garatc/BitUnlocker -
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog I suspect you have that NSA key set.
-
@S1m @GossiTheDog
. Je crois que tu confonds avec cette vuln https://github.com/garatc/BitUnlocker@drm @GossiTheDog Ah bah j'ai toujours cru que Bitlocker était by-design vuln aux downgrade attacks
-
@barubary @GossiTheDog It might be a "We've to deliver this and test this quicker" and someone forgot to remove.
A backdoor implies planning and we're talking about Microsoft.
I'd bet for bad QA and controls and lazy development with a pinch of "hurry, deliver now"
Which is ... Worse?
@prsfalken @barubary @GossiTheDog they’re excellent at planning Copilot and spyware integrations, though.
-
@GossiTheDog thanks God i can recover an Old ssd whose bitlocker key is somewhere in the short-circuited mainboard Something Something Secure Module and I happen to not have a backup of that specific bitlocker key
@splinux @GossiTheDog my mom sent me an old ssd in the same situation. Haven't been able to recover her data from it so far.
-
@mkoek @GossiTheDog you can also usually get the same general result in this config by poking the motherboard with a logic analyser and dumping the TPM data off the bus.
@gsuberland @mkoek @GossiTheDog not always - this wouldn't work with a "firmware TPM" implementation in IntelME/AMD PSP or in Pluton for example
