So I’ve just had a quick play with this and yes, it works.
-
For anybody looking at this, testing showed two things:
- TPM unlocked the storage
- it provides a login bypass, as you’re dumped as SYSTEM prior to Windows Hello or password loginBitLocker operates without a PIN by default so it’s basically a big gap, it’s unclear how this code made it into the production version of Windows.
- it provides a login bypass, as you’re dumped as SYSTEM prior to Windows Hello or password login
Technically you're running in WinPE with unlocked
drive. -
@gsuberland @mkoek @GossiTheDog Unless Microsoft made another mistake this shouldn't be possible. Accessing disk encryption keys should always use what is called a "salted session", where the communication between TPM and application is encrypted, precisely to prevent passive attacks on the bus.
@berglerma @gsuberland @mkoek @GossiTheDog This is BitLocker we are talking about. There's about one yearly post somewhere online, from someone new who bypassed bitlocker with an arduino and two paperclips. It's always passive attacks on the bus.
-
For anybody looking at this, testing showed two things:
- TPM unlocked the storage
- it provides a login bypass, as you’re dumped as SYSTEM prior to Windows Hello or password loginBitLocker operates without a PIN by default so it’s basically a big gap, it’s unclear how this code made it into the production version of Windows.
-
@GossiTheDog I mean they already do key escrow if you link to a MSFT account right? So seems sloppy for an intentional backdoor.
-
I should point out I’ve only tested with one version of Windows 11 - maybe the scope is smaller.
@GossiTheDog Very interesting indeed. I only have a work laptop with windows 11 so I have no testbed. Everything else is Linux, and famliy has Macbooks. I use to be able to boot Linux from a portable ssd drive + portable hard drive on my work laptop to make a compressed backup of the entire laptop SSD, so I could just roll back to last working image. Could this exploit be used to perform some "essentials" backup that could be used to restore from a bitlocker lockout or other failures?
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog You've probably seen this, but there were a bunch more in WinRE: https://media.ccc.de/v/39c3-bitunlocker-leveraging-windows-recovery-to-extract-bitlocker-secrets -
I should point out I’ve only tested with one version of Windows 11 - maybe the scope is smaller.
Me and @wdormann have both recreated the BitLocker backdoor^H^H^Hvulnerability https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/
-
@GossiTheDog it's not clear to me what config this bypasses. is it only the no password config?
(Edit: thought about it and yeah ofc it's just that config)
@gsuberland @GossiTheDog Slightly easier than grabbing the key off LPC I guess.
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog This doesn't work for me. I'm using an exFat Ventoy USB (it's all I have right now) on a T16 Gen 1 and a desktop. Both with TPM, no PIN.
ThinkPad - won't boot with CTRL held down, I briefly release it on the Lenovo screen. CMD pops up but C:\ is mapped to a Ventoy partition and the BitLocker partition wasn't mounted or unlocked.
Desktop - I got to CMD and C:\ was mounted but locked.
Without the USB CMD doesn't open on either PC. I might try again later with clean NTFS USB stick.
-
I think my prior toot on NightmareEclipse auto deleted so to make a perm one - it isn’t me. I suspect it’s somebody who used to work at MSFT, who departed after my era.
@GossiTheDog Do you think U.S. authorities could be investigating NightmareEclipse due to their disclosures?
I imagine Microsoft is investigating internally to determine if it's someone with previous/current access to internal info that is still legally protected (by contract or law).
Based on their posts, MS might already know their identity if they have interacted with this person via MSRC and have their payment info for the bug bounty programs.
-
@GossiTheDog This doesn't work for me. I'm using an exFat Ventoy USB (it's all I have right now) on a T16 Gen 1 and a desktop. Both with TPM, no PIN.
ThinkPad - won't boot with CTRL held down, I briefly release it on the Lenovo screen. CMD pops up but C:\ is mapped to a Ventoy partition and the BitLocker partition wasn't mounted or unlocked.
Desktop - I got to CMD and C:\ was mounted but locked.
Without the USB CMD doesn't open on either PC. I might try again later with clean NTFS USB stick.
@GossiTheDog Okay I got it working on the desktop, even though `reagentc /info` showed that it was enabled, running `reagentc /disable` then `reagentc /enable` made the machine vulnerable
-
@GossiTheDog it's not clear to me what config this bypasses. is it only the no password config?
(Edit: thought about it and yeah ofc it's just that config)
@gsuberland @GossiTheDog I think I used something like this last year. After a bios update a new Windows update fucked up my OS and the machine kept rebooting and going into recovery...
From that recovery mode I had access to the unlocked OS disk (without using the recovery key) and I was able to copy the couple of folders which were not in my backup... before I wiped the disk and did a clean install.
-
Me and @wdormann have both recreated the BitLocker backdoor^H^H^Hvulnerability https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/
@GossiTheDog
The aurhor claims that TPM + PIN is not protection.Personally I have a hard time understanding how that could be bypassed. Thoughts?
