So I’ve just had a quick play with this and yes, it works.

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 20:20:16 GMT

wdormann@infosec.exchange — Wed, 13 May 2026 20:20:16 GMT

@GossiTheDog
The aurhor claims that TPM + PIN is not protection.

Personally I have a hard time understanding how that could be bypassed. Thoughts?

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 19:56:44 GMT

sassdawe@infosec.exchange — Wed, 13 May 2026 19:56:44 GMT

@gsuberland @GossiTheDog I think I used something like this last year. After a bios update a new Windows update fucked up my OS and the machine kept rebooting and going into recovery...

From that recovery mode I had access to the unlocked OS disk (without using the recovery key) and I was able to copy the couple of folders which were not in my backup... before I wiped the disk and did a clean install.

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 19:26:38 GMT

daigle@mastodon.kaisev.net — Wed, 13 May 2026 19:26:38 GMT

@GossiTheDog Okay I got it working on the desktop, even though `reagentc /info` showed that it was enabled, running `reagentc /disable` then `reagentc /enable` made the machine vulnerable

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 19:13:08 GMT

alesandroortiz@infosec.exchange — Wed, 13 May 2026 19:13:08 GMT

@GossiTheDog Do you think U.S. authorities could be investigating NightmareEclipse due to their disclosures?

I imagine Microsoft is investigating internally to determine if it's someone with previous/current access to internal info that is still legally protected (by contract or law).

Based on their posts, MS might already know their identity if they have interacted with this person via MSRC and have their payment info for the bug bounty programs.

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 19:04:35 GMT

daigle@mastodon.kaisev.net — Wed, 13 May 2026 19:04:35 GMT

@GossiTheDog This doesn't work for me. I'm using an exFat Ventoy USB (it's all I have right now) on a T16 Gen 1 and a desktop. Both with TPM, no PIN.

ThinkPad - won't boot with CTRL held down, I briefly release it on the Lenovo screen. CMD pops up but C:\ is mapped to a Ventoy partition and the BitLocker partition wasn't mounted or unlocked.

Desktop - I got to CMD and C:\ was mounted but locked.

Without the USB CMD doesn't open on either PC. I might try again later with clean NTFS USB stick.

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 19:00:20 GMT

ams@infosec.exchange — Wed, 13 May 2026 19:00:20 GMT

@gsuberland @GossiTheDog Slightly easier than grabbing the key off LPC I guess.

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 18:53:13 GMT

gossithedog@cyberplace.social — Wed, 13 May 2026 18:53:13 GMT

Me and @wdormann have both recreated the BitLocker backdoor^H^H^Hvulnerability https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 16:49:54 GMT

jja2000@ue.oiaa.aaio.eu — Wed, 13 May 2026 16:49:54 GMT

@GossiTheDog You've probably seen this, but there were a bunch more in WinRE: https://media.ccc.de/v/39c3-bitunlocker-leveraging-windows-recovery-to-extract-bitlocker-secrets

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 16:30:43 GMT

mdb@newsie.social — Wed, 13 May 2026 16:30:43 GMT

@GossiTheDog Very interesting indeed. I only have a work laptop with windows 11 so I have no testbed. Everything else is Linux, and famliy has Macbooks. I use to be able to boot Linux from a portable ssd drive + portable hard drive on my work laptop to make a compressed backup of the entire laptop SSD, so I could just roll back to last working image. Could this exploit be used to perform some "essentials" backup that could be used to restore from a bitlocker lockout or other failures?

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 15:59:24 GMT

mikesiegel@infosec.exchange — Wed, 13 May 2026 15:59:24 GMT

@GossiTheDog I mean they already do key escrow if you link to a MSFT account right? So seems sloppy for an intentional backdoor.

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 15:58:01 GMT

mikesiegel@infosec.exchange — Wed, 13 May 2026 15:58:01 GMT

@GossiTheDog

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 15:33:25 GMT

pianosaurus@c.im — Wed, 13 May 2026 15:33:25 GMT

@berglerma @gsuberland @mkoek @GossiTheDog This is BitLocker we are talking about. There's about one yearly post somewhere online, from someone new who bypassed bitlocker with an arduino and two paperclips. It's always passive attacks on the bus.

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 15:23:51 GMT

jernej__s@infosec.exchange — Wed, 13 May 2026 15:23:51 GMT

@GossiTheDog

it provides a login bypass, as you’re dumped as SYSTEM prior to Windows Hello or password login

Technically you're running in WinPE with unlocked drive.

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 15:17:19 GMT

gsuberland@chaos.social — Wed, 13 May 2026 15:17:19 GMT

@Rairii @GossiTheDog @mkoek yeah, I was just thinking "hm I should edit that post from yesterday to mention fTPMs"

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 15:15:50 GMT

rairii@labyrinth.zone — Wed, 13 May 2026 15:15:50 GMT

@gsuberland @mkoek @GossiTheDog not always - this wouldn't work with a "firmware TPM" implementation in IntelME/AMD PSP or in Pluton for example

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 15:11:32 GMT

kboyd@phpc.social — Wed, 13 May 2026 15:11:32 GMT

@splinux @GossiTheDog my mom sent me an old ssd in the same situation. Haven't been able to recover her data from it so far.

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 14:51:47 GMT

can@haz.pink — Wed, 13 May 2026 14:51:47 GMT

@prsfalken @barubary @GossiTheDog they’re excellent at planning Copilot and spyware integrations, though.

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 14:28:27 GMT

s1m@infosec.exchange — Wed, 13 May 2026 14:28:27 GMT

@drm @GossiTheDog Ah bah j'ai toujours cru que Bitlocker était by-design vuln aux downgrade attacks

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 14:02:07 GMT

moelassus@mastodon.social — Wed, 13 May 2026 14:02:07 GMT

@GossiTheDog I suspect you have that NSA key set.

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 13:46:27 GMT

drm@mastodon.social — Wed, 13 May 2026 13:46:27 GMT

@S1m @GossiTheDog . Je crois que tu confonds avec cette vuln https://github.com/garatc/BitUnlocker

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 13:28:44 GMT

s1m@infosec.exchange — Wed, 13 May 2026 13:28:44 GMT

@drm @GossiTheDog Toujours à la pointe les collègues. C'est pas un patch qui nécessite une mise à jour des certifs secureboot ça ? Le genre de mise à jour qui est toujours retardée

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 13:27:01 GMT

drm@mastodon.social — Wed, 13 May 2026 13:27:01 GMT

@S1m @GossiTheDog testé hier par un collègue, ça marche bien ! Mais ça va être rapidement patché...

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 13:12:35 GMT

splinux@mastodon.uno — Wed, 13 May 2026 13:12:35 GMT

@GossiTheDog thanks God i can recover an Old ssd whose bitlocker key is somewhere in the short-circuited mainboard Something Something Secure Module and I happen to not have a backup of that specific bitlocker key

Reply to So I’ve just had a quick play with this and yes, it works. on Wed, 13 May 2026 12:59:45 GMT

s1m@infosec.exchange — Wed, 13 May 2026 12:59:45 GMT

@GossiTheDog

@drm Plus besoin de s'embêter à faire du TPM sniffing