Skip to content
  • Categories
  • Recent
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (Slate)
  • No Skin
Collapse
Brand Logo

hashpwn

Home | Donate | GitHub | Matrix Chat | PrivateBin | Rules

  1. Home
  2. General Discussion
  3. Bitlocker Bypass Vulnerability

Bitlocker Bypass Vulnerability

Scheduled Pinned Locked Moved General Discussion
2 Posts 2 Posters 38 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • 174region1741 Offline
    174region1741 Offline
    174region174
    Trusted
    wrote last edited by cyclone
    #1

    From: https://github.com/Nightmare-Eclipse/YellowKey

    YellowKey BitLocker Bypass Vulnerability

    Been a while since I saw a BitLocker bypass around, my turn.

    This is one of the most insane discoveries I ever found, almost feels like a backdoor, but what do you know, maybe I'm just insane.

    How to reproduce:

    Copy the FsTx folder to YourUSBStick:\System Volume Information\FsTx as-is and make sure to use a filesystem that's compatible with Windows. NTFS is preferable, but FAT32/exFAT should work as well.

    Plug the USB stick into the target Windows computer with BitLocker protection turned on.

    Reboot to Windows Recovery Environment Agent. You can do this by holding SHIFT and clicking the restart button.

    Once you click restart, lift your finger off SHIFT and hold CTRL. Do not lift your finger off it.

    If done properly, a shell will spawn with unrestricted access to the BitLocker-protected volume.

    35d5ebd0-e107-4fe8-a911-cd37ccb72ff9-image.jpeg

    Now why would I say this is a backdoor? The component responsible for this bug is not present anywhere, even on the internet, except inside the WinRE image. What raises suspicion is that the exact same component is also present with the exact same name in a normal Windows installation, but without the functionality that triggers the BitLocker bypass issue.

    Why? I just can't come up with an explanation besides the fact that this was intentional.

    Also, for whatever reason, only Windows 11, Server 2022, and Server 2025 are affected. Windows 10 is not.

    A huge thanks to MORSE, MSTIC, and Microsoft GHOST for making this public disclosure possible.

    1 Reply Last reply
    👍
    0
    • cycloneC Online
      cycloneC Online
      cyclone
      Admin Trusted
      wrote last edited by
      #2

      Full write up:
      https://forum.hashpwn.net/post/13339

      Sysadmin by day | Hacker by night | Go Dev | hashpwn
      3x RTX 4090 3x RTX 2080ti
      Forum Rules

      1 Reply Last reply
      0

      Hello! It looks like you're interested in this conversation, but you don't have an account yet.

      Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

      With your input, this post could be even better 💗

      Register Login
      Reply
      • Reply as topic
      Log in to reply
      • Oldest to Newest
      • Newest to Oldest
      • Most Votes

      homogenous-expeditionary
      • Login
      • Don't have an account? Register
      • Login or register to search.
      • First post
        Last post
      0
      • Categories
      • Recent