yellowkey bitlocker bypass
Posted by MegaN00BMan@reddit | sysadmin | View on Reddit | 215 comments
Bitlocker bypass anyone?
GitHub - Nightmare-Eclipse/YellowKey: YellowKey Bitlocker Bypass Vulnerability · GitHub
CharcoalGreyWolf@reddit
Again, the person who releases to the public because he “doesn’t like how Microsoft handles things” with *zero* consideration for how the entire IT world now has to handle the things this person is doing.
I am not happy with this person. “IT’S NOT JUST ABOUT YOU AND MICROSOFT, PERSON!!!
_Dreamer_Deceiver_@reddit
You would be mad at the person who released the exploit and not Microsoft? You would prefer only some people knew about this and could exploit it while the rest of the IT world sits there in ignorance?
CharcoalGreyWolf@reddit
I’d be mad at Microsoft IF they had the vulnerability and did absolutely nothing about it. Then the dude could totally release it, and I would be just fine with it. This is simultaneous release in announce. Nobody has time to figure it out before it’s already out in the verse. That is a good for anyone other than the person releasing this.
_Dreamer_Deceiver_@reddit
And apparently that's what happened if you believe the leaker
ConsciousEquipment@reddit
what?? man this exposes Microsoft and it's hilarious. It's great that he publishes it basically as a manual. The fallout is on Microsoft, if something happens it happens because they have poor design not because found out about it lmao
CharcoalGreyWolf@reddit
So apparently you’re not the Sysadmin who has to suffer for it and so doesn’t consider those who do.
G’day, mate.
SusAdmin42@reddit
You’re simping for a trillion dollar corp. A lot of us are SysAdmins that have to deal with this, but maybe MS should dedicate more resources to security. Don’t be mad at the researcher.
CharcoalGreyWolf@reddit
I’m not simping at all, you’re just not getting it.
There’s a middle ground option, a way to announce a vulnerability, not release it, and give a fixed amount of time to resolve before releasing it. If Microsoft blows him off, he can release sooner. This is simultaneous announce, release, laugh. It benefits nobody other than the person doing it.
SusAdmin42@reddit
I get it. Maybe he did reach out, maybe he didn’t. I’m glad he announced it regardless.
I… just don’t care all that much. Life is short, and I don’t see this as life threatening.
CharcoalGreyWolf@reddit
Well, apparently you don’t have multiple organizations to protect from it.
Life is short. Honestly, too short to be making the IT community’s life miserable because they have a vendetta against. There are better options.
SusAdmin42@reddit
This is a physical attack… so no, I don’t.
I doubt they did it with the purpose of making millions of IT workers miserable.
CharcoalGreyWolf@reddit
Then it would be being done with very little thought to it in the first place, much like they did with Blue Hammer and Green Plasma, and they’re promising to release more.
It’s all fun and games until someone suffers because of it. Do I like Microsoft? Not so much. Do I want this person making their problem with Microsoft everyone’s problem? Same answer.
iratesysadmin@reddit
He's dropped like 5 exploits in the past 2 months, there is some bad history with him and MS and basically he feels this is the only way to get this handled.
CharcoalGreyWolf@reddit
So, if he endangers hundreds of thousands of businesses, end users, etc. maybe millions, that’s just too damned bad for everyone?
Yes, I’ve been following the whole story. They’re not dying a hero, they’re living long enough to become a villain themselves. Not saying Microsoft isn’t its own brand of villain; more saying this isn’t any better and there’s middle ground to be found.
iratesysadmin@reddit
I'm not disagreeing with you nor am I saying it's correct, just providing context for those who have not been following the saga.
But if he has tried to disclose this correctly and been rejected by MS as out of scope (as some claim, no proof provided), then I don't see a way besides public disclosure to force it. Leaving it unpatched (security via obscurity) is even worse.
CharcoalGreyWolf@reddit
I would probably notify Microsoft, then tell them a general idea of PoC and give them half of the usual time to fix (or at least acknowledge) it if they’ve been truly awful to this person; if it’s disregarded, then it’s released.
This person has made it a literal vendetta now, and they’ve made the entire world part of it, which isn’t any better. And they’re planning to do more of it. If they have a problem, state some clear requests as to what Microsoft could do that would resolve this, publicly to everyone.
Smith6612@reddit
Without having done much research, honestly if these flaws have been around for years and haven't been getting fixed despite notification, I'd be on the side of a vendetta being required. The same rule goes with hush hush backdoors being built into code. At some point it's time to light the fire and paint the target for the betterment of everyone.
CharcoalGreyWolf@reddit
That would depend on whether the vulnerability was already reported to Microsoft.
There is a reason bug bounties exist, and why there is a report method. From what I understand of this situation, these are newer vulnerabilities that have never been reported to Microsoft. If they were reported then ignored, I would have no issue with releasing the information after a reasonable time frame (e.g. 30 days).
ConsciousEquipment@reddit
so? that's what you do lol
CharcoalGreyWolf@reddit
Against one person? In the past, when I was younger and more stupid.
Against millions? Nope.
ConsciousEquipment@reddit
yep, exactly! glad you got it
nroach44@reddit
Blame Microsoft, they're the ones that kick back the researcher's findings because they're "out if scope".
anikansk@reddit
At least I dont have to worry about the HP BIOS issue now...
StigaPower@reddit
Explain HP BIOS issue?
robbak@reddit
Now just combine it with the (still functional) utilman.exe hack, and you can turn on (or create) a full local admin account, and the computer is yours.
Friendly_Guy3@reddit
It works like a charm. Windows 11 24h2 10.0.26100.8246 Bitlocker is protect by tpm , no pin Access to USB devices is in Windows viva policy forbidden USB boot is disabled Cold boot to just the login screen . Hold shift and press reboot , while USB stick is inserted. Release shift , Holding crtl during reboot .
Command prompt us appearing and c: is free to access .
If just the recovery menu comes up , something went wrong and the drive is still secure
Scarry .
Effective_Peak_7578@reddit
Do you have to press Control? The command prompt showed if I only held shift but I can only see public folder contents
Secret_Account07@reddit
This is terrifying.
So just to be clear, does a PIN/password neutralize the exploit?
picklednull@reddit
Of course, that's always the case with these. Anyone actually serious about security will have a PIN on BitLocker.
Finn_Storm@reddit
u/Secret_Account07 Looks like it doesn't.
https://deadeclipse666.blogspot.com/2026/05/were-doing-silent-patches-now-huh-also.html
> Second thing is, No, TPM+PIN does not help, the issue is still exploitable regardless, I asked myself this question, can it still work in a TPM+PIN environment ? Yes it does, I'm just not publishing the PoC, I think what's out there is already bad enough.
jamesaepp@reddit
I'm personally not too surprised that PIN doesn't defeat the attack.
My superficial understanding is that BitLocker has a single key for encrypting a given volume.
That key is itself wrapped by other keys/protectors. Whether the recovery key is used or the TPM unlocks it (with or without PIN) or a password unlocks it or whether a drive is set to auto-unlock with OS, doesn't really matter. Any of those keys are equally able to decrypt the main encryption key.
Not too dissimilar from how EFS works. One key for the file being encrypted, and authorized certificates can be used to unlock that key.
If this attack is simply yet another way to unlock that single key, then the whole system is bust.
charleswj@reddit
The TPM won't produce the key without the PIN.
jamesaepp@reddit
What or who says the TPM is a necessary component for this attack to function?
charleswj@reddit
Because that's where the key to decrypt the drive is located. You have to get it from the TPM or the drive is a brick.
poptix@reddit
That's where your key is.
charleswj@reddit
You're just making things up that sound good in your head. A stupid person armed with a conspiracy theory is not to be reasoned with because every logical explanation is just fodder for more conspiracy.
poptix@reddit
You're welcome to test the exploit yourself. I have no problem believing that the key stored in TPM is just one of the keys capable of unlocking the disk, directly or indirectly. It's not conspiracy it's just knowing how people code things and what happens when end users and lawyers get involved.
OddScene4044@reddit
Wow, a whole sentence to say "vibes".
jamesaepp@reddit
(Rhetorical question) Under normal circumstances, how does an operator unlock a drive if the TPM was lost/failed or the drive was transplanted to another machine?
LaDev@reddit
If this is the case there is a ton of incorrect information being posted on blogs that are stating preboot auth mitigates.
Secret_Account07@reddit
Great find.
Wow, assuming this is true this is kinda shady of MS. I get not publicizing stuff but what is the point of disclosure and CVEs then lol
Finn_Storm@reddit
Do you mean a pin beyond the standard 80-something-character key that bitlocker gives you?
EachAMillionLies@reddit
Yes, that's just a recovery key.
MrSanford@reddit
Yeah, that's not a PIN
ansibleloop@reddit
Like the researcher said - this is absolutely intentional
Secret_Account07@reddit
My question is, and I doubt we ever get the answer, is what was the motivating force to add this? I have a feeling it’s a 3 letter agency.
ansibleloop@reddit
US government demanded a back door I'll bet
Just look what happened to truecrypt back in the day
Excellent-Chemist-69@reddit
I'm unable to get the prompt to load. It just goes straight to the bitlocker recovery page every time. Guess
watchutalkinbowt@reddit
I see the same thing - when you try to go from X to C 'drive is locked, unlock from control panel'
fwiw this is an 11 Pro laptop that does not have the patches from yesterday yet
Main_Ambassador_4985@reddit
I do not think this will work on systems in my domain. I need to test.
Boot order is locked
BIOS is locked
Secure boot and UEFI guard enabled
Safe boot and Windows recovery disabled.
When we have a system fail to boot we unlock the boot order and image in a controlled location.
If a system dies at a remote location we overnight a replacement. We have a system where we can add a drive unlock Bitlocker to recover files that were improperly stored.
SusAdmin42@reddit
Are you prevented from booting into WinRE from the Windows login screen?
iratesysadmin@reddit
Do post back. The only thing that might be stopping this is the "Safe boot and Windows recovery disabled." But I do wonder if this actually stops this.
jmbpiano@reddit
I feel like I'm fundamentally missing something. Can someone ELI5 what the vulnerability is here?
It sounds like you still need to run this on a machine with the original TPM present, so how is it surprising that an OS running off a flash drive can retrieve the same decryption keys the regular OS would?
Rawme9@reddit
Supposedly the concept and privilege eacalation works on TPM+PIN setups, although the researcher only posted PoC for TPM only setups.
https://deadeclipse666.blogspot.com/2026/05/were-doing-silent-patches-now-huh-also.html?m=1
thortgot@reddit
I don't see how that could be possible unless it was an intentional backdoor.
Rawme9@reddit
That seems to be the implication. This person almost definitely did not stumble across this imo.
charleswj@reddit
How would even an intentional backdoor produce the correct PIN to present to the TPM? Even if you wanted to design such a thing, you couldn't.
JustCallMeBigD@reddit
Perhaps there's a 'duress PIN' that works when the files on the USB stick are present.
charleswj@reddit
So now TPM vendors are adding backdoors?
JustCallMeBigD@reddit
Would they need to? PIN is set through BitLocker at time of encryption, so nothing really stopping Windows from storing it somewhere.
Then, with the vulnerability present, a duress code could be entered, and Windows RE will pass the real PIN instead.
Given what others have said that this feels like an intentional backdoor, it could be entirely possible. I'm just shooting spitballs, though.
charleswj@reddit
It would be detectable if a pin was written somewhere locally. There's zero chance Microsoft, Apple, Google, Samsung, etc would put in a backdoor. Zero. If you think it's an intentional backdoor, I don't know what to tell you. It's just pure tinfoil hat speculation from whole cloth.
Note I'm a MSFT employee, but couldn't be farther from this side of the company, and often complain publicly when our shit stinks.
Existential_Racoon@reddit
You don't think literally all of those companies have backdoors?
SusAdmin42@reddit
Yea…. I don’t know how you can believe this when companies like AT&T have back doors for the government.
Rawme9@reddit
My assumption is that it bypasses the PIN check completely in a similar fashion to how it bypasses the TPM. But it's all speculation and I'm not gonna pretend to fully understand the initial exploit.
charleswj@reddit
But it's not bypassing the TPM. It's asking for the key and is authorized to do so. The trick here is that the RE env shouldn't give you access to the unlocked drive.
ledow@reddit
Nick a laptop with Bitlocker before - you just had to wipe it and sell it on.
Nick a laptop with Bitlocker now - you can decrypt it and access the complete filesystem.
That's a HUGE difference and, honestly, the only reason to be using Bitlocker in the first place.
jmbpiano@reddit
Is that actually what's happening here, though?
All the comments here and at the github seem to suggest that having a pin defeats the attack. If you don't have a PIN, then I don't see that anything has fundamentally changed in the stolen laptop scenario.
mixduptransistor@reddit
The idea is that the original OS, the one that wrote the keys to the TPM, is the only thing that should be able to decrypt the drive. And then at that point you're depending on the security of Windows to not allow someone to break into a running machine. Up until this point everyone's assumption was that if you aren't the Windows install that encrypted the drive, you couldn't get the keys out of the TPM
Which, to be fair, IS the case here, I believe. I am fairly certain that it is booting Windows from the encrypted drive here, but the exploit is that once booted Windows is letting you through to the file system without logging in
Next_Section_8534@reddit
What about external drive la that aren’t tied to a TPM and can be unlocked by a password anywhere? Will this gain direct access to those drives? I imagine so if it is allowing command line at a recovery level.
jmbpiano@reddit
Is the Secure Boot cert involved in the TPM unlocking process so a boot image signed by a different vendor is denied access to the keys? If so, maybe that's the piece I was missing.
paraknowya@reddit
No, youre missing the whole set here.
Imagine you got a drive, bitlocker encryption is enabled, pin is not.
Before: it was assumed that accessing the files on the drive is not possible. You were able to wipe it etc. So the data was safe.
Now: access to the filesystem is as easy as putting in a thumb drive with the right files on it and rebooting. The data is not safe.
jmbpiano@reddit
See, without a PIN, I would not have assumed that. I would have assumed that anyone with a Linux boot disk could access the same unencrypted portions of the drive that Bitlocker does and, since the TPM is present and unprotected with a PIN, you'd have everything you need to decrypt the rest of it at that point.
Maybe I was mistaken, but that's how I always understood it to work and why I thought having a TPM without a PIN or Network unlocking was a bad idea for laptops or other easily stolen equipment. The benefit of Bitlocker with TPM-only seemed to me to be ensuring the data was unreadable when a drive is removed from a system for disposal by a third party.
jma89@reddit
In theory: Any change to the boot order would invalidate the system state hash and thus cause BitLocker to ask for the recovery password. (This is why BIOS/UEFI updates will automatically suspend protection, at least the nice ones will.)
I've seen it get angry just changing power state configurations within UEFI. Seems to be somewhat vendor-dependent though.
jmbpiano@reddit
Yeah, that's definitely the bit I was missing and what I needed to learn from the folks here for the implications of this exploit to make sense.
Finn_Storm@reddit
It does not. Tpm+pin is still vulnerable.
https://www.reddit.com/r/sysadmin/comments/1tbwrm3/comment/oll1wzg
charleswj@reddit
I call BS until we see a poc. With a PIN, the TPM only produces the key of you provide the correct PIN.
AliveOne4871@reddit
Having a pin seems to defeat this version of the attack, the guy who wrote it said there is a variant that can bypass TPM/PIN but hasn't published the PoC yet.
caliber88@reddit
Are you confusing the bitlocker PIN with the recovery code?
jmbpiano@reddit
No, the recovery code can be used in an offline attack even without the TPM present. That's a completely separate scenario.
If a PIN is present, then the TPM is locked and won't divulge the decryption keys until it's presented with a known secret.
jamesaepp@reddit
IMO the recovery code isn't an "attack", the code is a valid authentication method to unlock a bitlocker-protected volume.
Now, disclosing the recovery code when you shouldn't be able to? That'd be a major privilege escalation, but that's a separate discussion than using it once you have it.
jmbpiano@reddit
Using a recovery code is not in itself an attack, no.
What would make it an "offline attack" is that someone managed to exfiltrate the encrypted data to begin with (most likely by physically stealing the drive).
cspotme2@reddit
stolen laptop/lost laptop isn't trivial for the everyday user to do. this bypass basically makes anyone with reading comprehension and a usb key be able to decrypt your laptop.
melancholymelody@reddit
i tried doing this twice with different USBs against my bitlocker drives and it didn't work. tried exFAT/NTFS on both as well. couldn't get the boot to bring up command prompt. just took me into the normal recovery screen.
cspotme2@reddit
I've went thru this thread like 4x. I thought someone mentioned it didn't work on their machine(s) and a certain setting (registry?) had to be toggled while logged in.
It's not in the other thread in r/cyber security either, unless I'm blind
cspotme2@reddit
Ok I found it
Reagentc /disable
Looks to disable at least the recovery cmd in the winpe environment that has everything decrypted. Does present a recovery menu (who knows if there is also an exploit there)
Mantazy@reddit
Note that this also disables windows build-in reset functionality. This also means that intune wipes won’t work anymore as recovery environment is missing to start the process.
cspotme2@reddit
Nbd considering the bypass nature, imo
Fabulous_Cow_4714@reddit
So, is this saying that Windows will still read data from any USB drive during a system reboot even if you have policies disabling reading USB drives and disabling booting from USB?
_Dreamer_Deceiver_@reddit
Try it. But yes, policies set in windows don't apply to winre
dreniarb@reddit
Lots of people saying it works but i can't reproduce it.
The instructions on github are a bit hard to follow.
at what point do you start holding the ctrl button? is that immediately after clicking the restart button on the welcome screen? or do you start holding it down somewhere in WinRE?
I can boot to the WinRE just fine, whether I hold ctrl right after clicking restart on the welcome screen or not.
Within WinRE there's no obvious restart button that i'm aware of. But I can go into troubleshoot, advanced, then command prompt. but that asks for the bitlocker recovery key.
I can click skip drive and it'll say it has to reboot to launch the command prompt. At that point I can click ok and it will reboot the computer to a command prompt but still no access to c: - it'll say it's protected by bitlocker.
at that point i confirm that i can see my usb stick and that the fstx folder is in the system volume folder on the drive.
it's concerning how many people are saying this works for them but my inability to reproduce it makes me doubtful.
cspotme2@reddit
Check reagentc /status
Disabled, this doesn't work. You can let go of shift probably about 20 seconds in ... I don't think ctrl is 100% necessary but I've booted up multiple machines this way and it works
iratesysadmin@reddit
Are you 100% sure that having the re agent disabled stops this? Like you tested, confirmed you got access, disabled the re agent, tested again (make sure to replace the files, they get deleted on each use) and could not get in?
cspotme2@reddit
yes, i've been checking my usb every boot now. so, i'm 99% sure.
dreniarb@reddit
you mean reagentc /info - i was pretty sure it was enabled since i'm able to reboot into WinRE, but i went ahead and double check and it's enabled.
Friendly_Guy3@reddit
Try a different USB stick. I had my problem there . If the recovery menu comes up , something didn't work right
jykke@reddit
Oh no, this makes NSA sad, their backdoor has been found!
Quixiv@reddit
Doesn't microsoft have the bitlocker keys stored on the ms account anyway ?
jykke@reddit
Not necessarily.
illuanonx1@reddit
How do you know they are not sending the recovery key anyway? Its a few KB :)
Hangikjot@reddit
I'm sure the "fix" will be a windows update process will change and no longer check for that file, the module will then be updated to only execute that procedure if a matching cert is found with some other super secret keyboard combo. But can't make it too hard for the intelligence guys.
dwangbuis@reddit
What stops you from just booting a previous version of Windows RE from USB?
charleswj@reddit
It won't be trusted by the TPM. This vuln requires the recovery partition
dwangbuis@reddit
What ties the installed recovery partition to the TPM chip? Why wouldn't booting a recovery partition from usb work in the same fashion?
Flaky-Gear-1370@reddit
One of - doubt they would have only had one
zed0K@reddit
So don't you need admin on the machine to copy the System Volume Information off? And at that point, couldn't you just disable bitlocker?
iratesysadmin@reddit
You are modifying the system volume information on your flash drive, not the target PC
5SpeedFun@reddit
I wonder now if any corporation that has had a laptop stolen with bitlocker, since win11 came out, now has to declare a (possible) breach.
iratesysadmin@reddit
While they should, I think the way the law is written they have leeway to not declare it unless it's confirmed and they likely will not get confirmation. Most stolen machines are wiped and resold quickly.
ledow@reddit
Well, that looks fun.
If I'm reading it right, it's effectively a backdoor presented by the presence of certain files normally only available in a recovery environment.
When not present, normal Windows rules apply. When present.... Bitlocker is basically just decrypted for anyone using it.
Might have to test that one. It has an element of "too dumb to be true", but I've been dealing with Microsoft too long to think that couldn't possibly happen.
NShinryu@reddit
This (disgruntled) researcher has been dropping notable zero days back to back for several weeks now, there's no doubt it's real and works as explained.
majikguy@reddit
FWIW, I've tested it and I can confirm that it works.
kerubi@reddit
Do you require a pre-boot PIN with Bitlocker?
AliveOne4871@reddit
When I tested it, with a pre-boot pin, the pin is still requested and must be supplied. If the BL env isn't protected by a pre-boot pin I'm assuming that's when this bypass is useful.
Annual-Night-1136@reddit
The author claims to have a working version that bypasses the pin requirement:
“Second thing is, No, TPM+PIN does not help, the issue is still exploitable regardless, I asked myself this question, can it still work in a TPM+PIN environment ? Yes it does, I'm just not publishing the PoC, I think what's out there is already bad enough.”
https://deadeclipse666.blogspot.com/2026/05/were-doing-silent-patches-now-huh-also.html?m=1
Tyr_Kukulkan@reddit
This makes all BitLocker worthless and there are millions of organisation and government devices that could be blown wide open if lost.
Box-o-bees@reddit
I didn't know that was even a thing.
Next_Section_8534@reddit
Any tips? I’ve tried following the readme guide on my windows 11 home and pro PCs but no success. Some other prerequisite?
Kurgan_IT@reddit
And there is nothing that MS can do to put the worms back in the can. Everyone with a Windows installation ISO can bypass bitlocker.
majikguy@reddit
I don't think that's actually the case, but I could be wrong. My understanding is that the recovery partition on the drive has to be used because that's what's capable of getting the decryption keys from the TPM chip.
ender-_@reddit
Correct. If you boot off DVD or USB, the PCR7 hashes won't match, so TPM won't release the decryption key. Recovery environment normally skips unlocking BitLocked drives, but YellowKey bypasses that.
majikguy@reddit
This is going off of some quick reading of information that I haven't properly verified, so big grain of salt, but it sounds like the recovery environment does unlock the drive but then it relocks it once it has gotten what it needs. Apparently there's a flag that can be set in a config file that causes it to just choose to not relock the BitLocker volume.
Here's where I found this info:
https://xcancel.com/weezerOSINT/status/2054299771817660433
SnakeOriginal@reddit
How can recovery environment unlock the drive when it doesnt hold the key? I mean everyone is testing it on their machines but no one dared to clear tpm or transfer the drive to another pc to simulate the bypass that way
1RedOne@reddit
When you setup bit locker you have a number of options of how many or which unlock mechanisms you enable. In enterprises this is normally thoughtfully done, weighing the pros and cons of having multiple unlock vectors
But it seems that some options which might be widely distributed provision an unlock key for winre
I am very rusty in this area, but I remember it from my 70-680 way back in the day
majikguy@reddit
Because the recovery environment does hold the key, or at least a key. The point of the bypass is, as I understand it, that it gets the recovery environment to not re-lock the disk after it boots itself up. I think the specific WinRE installation on the drive is registered as a trusted OS to the TPM so that it can start up and do its thing and recover the system without you having to provide your backup BitLocker key.
It's not a matter of not daring to clear the TPM or use a recovery disk, it just definitely wouldn't work.
ender-_@reddit
That actually makes sense – what YellowKey seems to do is trigger deletion of wpeshl.ini from the WinPE ramdrive, which likely prevents the regular recovery shell from starting.
AmusingVegetable@reddit
Given the “quality” of the products coming out of Redmond, “too dumb to be true” probably means “very likely to work”.
Tricuna@reddit
This 100% works, I managed to get into a laptop where the bitlocker keys were saved into its own drive and no one knew the admin password.
ruffneckting@reddit
Where is the guy who setup a force shutdown on all domain machines, and had his BitLocker keys on one of the servers affected?
RefugeAssassin@reddit
In his panic he unlocked parts of his subconscious that willed this "Fix" into existence.
Bekar_vai@reddit
Now I want to read the story. Link to the original post?
QuickYogurt2037@reddit
Unfortunately it has been removed by the author: https://www.reddit.com/r/sysadmin/comments/1ta0h9u/i_am_going_to_get_fired_today_i_accidentally_sent/
biggles1994@reddit
He got three wishes from a genie and this is one of them
CharacterLimitHasBee@reddit
Maybe he can get his job back with this one neat trick.
AngryMillennialFU@reddit
Does this work on all OSes? I specifically remember microsoft moving the WinRE partition to end of the disk so it gets bitlocked when rolling out 2022. This just bypasses the encryption of the winre environment?
litmanen0@reddit
It works on system drive only. Another drives with BitLocker on same device won't be affected.
Secret_Account07@reddit
Oh fuck
I don’t like this
ledow@reddit
That just gives me "Linux is more secure!" vibes from days-gone-by.
And even the BSD people (who used to boast "no remote holes in the default install" on their website... well... until there were several of them...)
There's no such thing as secure. You just do what you can and take reasonable precautions.
peacefinder@reddit
You mean OpenBSD, and their current default remote hole count is… two.
I do not in any way speak for the project, I’m just a windows guy who cut my *nix teeth on it back in the Bronze Age.
I think perhaps a little defense is in order though.
OpenBSD doesn’t make that claim because of ideology or rivalry or even obscurity. They make it because they have worked very meticulously for many years to keep it true.
They don’t claim to be perfect, and never have. What they do claim is “Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography.“
My favorite example demonstrating their commitment to correctness from good design practice is this. If the code doesn’t work like the documentation says it should, it is a code bug rather than a documentation error. Manual pages are canonical.
But it goes well beyond that. Their whole approach to development and deployment is one worth studying.
They are truly software engineers, in the sense that engineering is about learning the larger lessons written in bloody failures, and applying them systematically.
They’re very good at it.
sk102x@reddit
I just tested this out on a Gen6 ThinkPad, Windows 25H2, all available Windows Updates installed. I'm able to make it all the way to the administrative command prompt, but when I try to access the C: drive I get "You must unlock this drive from Control Panel".
Maybe this only affects certain Windows versions?
Tyrant082@reddit
I tried it now too, Win11 25H2 rebooted once to recovery but when i want to access the drive it still says its bitlocker protected. And now it wont boot to the recovery with the shell anymore when i press shift on restart and ctrl at the reboot
Excellent-Chemist-69@reddit
I'm seeing the same behavior where the drive remains encrypted and will not allow access to the C drive. I did figure out that all files in FsTx are deleted every time the shell comes up (after banging my head against a wall and having to enter a bitlocker a dozen times). Maybe our environment is secure enough? Maybe I'm doing something wrong?
Next_Section_8534@reddit
The PCs I’ve attempted have flickered up the Cmd window but then boot into the blue screen. FsTx Files still exist that I can tell. Just the files from his Git or using something else?
Friendly_Guy3@reddit
The files are disappearing, once used . Copy the files again to your USB drive
cspotme2@reddit
Oh. No fucking wonder it didn't work on another machine. I was combing thru this thread to find what ppl mentioned worked or didn't work
greenstarthree@reddit
Maybe this patch Tuesday quietly contained the fix?
DefinitelyNotEmu@reddit
Patch Tuesdays do not usually make any changes to WinRE
theDukeSilversJazz@reddit
I just tested after updating Patch Tuesday and it appears no
Next_Section_8534@reddit
I’ve run this on my windows 11 pro and home machines, logged in and from login screen. I believe I’ve followed all steps listed in the readme. No luck. Any other conditions required to replicate?
Sroni4967@reddit
bitlocker without tpm pin is just vibes
Iv4nd1@reddit
Also works with a PIN configured
charleswj@reddit
It doesn't
Fabulous_Cow_4714@reddit
You need to insert the USB key at the login prompt and restart. You need to enter the PIN to get that far.
Then when it restarts, it would prompt for the PIN again before Windows can try to boot.
sarge21@reddit
Exploit writer says he has a POC which works with a PIN set, but he's not releasing it yet.
Fabulous_Cow_4714@reddit
Maybe, it can somehow reboot without triggering the PIN if it device was already running at the Windows login screen and the device is configured in a particular way, but it doesn’t sound feasible that they can bypass the PIN from a powered off laptop.
Maybe they can spoof network unlock if that’s configured.
Hangikjot@reddit
i bet it has something to with fast boot or what ever. Some nonsense like still holding the pin/key in ram even through a reboot.
OctoNezd@reddit
Good luck with making Karen from accounting remembering more than one password.
volgarixon@reddit
Is it decrypting the drive (i don’t think so) its effectively unlocking the drive as the key material stored in TPM would.
ice456cream@reddit
Id assume once it's in that unlocked state, you could manage / disable it fully
BatemansChainsaw@reddit
you can. this works with and without a pin. I'm over here laughing. the govt's backdoor just got discovered.
iratesysadmin@reddit
I know what the creator posted on his blog, but it would make absolutely no sense if you use TPM+PIN for this to work, unless you supply the PIN.
Can you confirm that this works with TPM+PIN when you don't supply the PIN?
charleswj@reddit
You're absolutely correct. The creator is being intentionally misleading and people are eating it up. The TPM itself won't produce keys without the PIN, doesn't matter what backdoor you think Microsoft created.
showbizusa25@reddit
Imagine naming your kid something so bad they need a nickname before kindergarten.
Vexser@reddit
Apparently this does not work in win10.
Demoox@reddit
crap this could have actually helped save some files from my sister's laptop, since win11 arbitrarily decided to enable bitlocker while windows hello stopped working and she forgot her user password lmao
Ferretau@reddit
I'm guessing she logged onto 365 using a work/school account - which triggered bitlocker to be enabled and store the recovery in the 365 account. Unless they've changed it, the last time I locked about 2 years ago it all happens silently without notification.
UrbyTuesday@reddit
I have a couple of old hard drives myself that could use some love!
F0rkbombz@reddit
MSRC is trash and I’m all for it if these kind of 0-day drops are what it takes for them to finally start acknowledging security findings.
Zjoee@reddit
I have about 20 laptops come in to the office that are all bitlocker encrypted that we can't get into because the client set them all up without our management agent. I'll have to give this a shot!
radraze2kx@reddit
This doesn't seem to work if the computer is already forced to the bitlocker recovery screen due to hardware change, is that correct?
dreniarb@reddit
The github page specifically mentions copying "c:\system volume information\FsTx" to the same structure on a usb drive. But i'm not seeing that folder anywhere on any of my computers.
there are other folders like these:
AadRecoveryPasswordDelete
ClientRecoveryPasswordRotation
EDPFveDecryptedVolumeFolder
but no FSTX anywhere that I can find.
based on a bit of research it seems FSTX isn't used in windows anymore?
Excellent-Chemist-69@reddit
You need to uncheck hide protected folders from the options in file explorer. It's a protected system file that won't show even when hidden items are shown
radraze2kx@reddit
What owner should we change it to in order to plop the folder tree in?
Friendly_Guy3@reddit
As far i know The files are in the recovery partition. Try to mount it and search there .
fosf0r@reddit
They are in the GitHub, you're supposed to download the whole tree from -> https://github.com/Nightmare-Eclipse/YellowKey/tree/main/FsTx
dreniarb@reddit
Got it. Right in front of me. Still doesn't work for me though.
I put the fstx folder from github inside the hidden system volume information on a newly formatted ntfs usb drive.
Plug the drive into my test system.
Cold boot to welcome screen.
Click power button.
Hold shift down, click restart.
Let go of shift, hold down ctrl and don't let up.
Computer reboots, WinRE loads up instead of a command prompt.
Then even when I go into troubleshoot, advanced, command prompt I'm asked for the bitlocker recovery key.
Maybe I'm missing a step.
Friendly_Guy3@reddit
Not really missing a step.
But try to use a different USB stick . I had the same strugge. First i tried a 16 GB no name stick with no luck . Now I'm using a 32gb Sandisk ultra and it worked on the first try.
fosf0r@reddit
Try copying it to EFI on the actual drive, that method doesn't require USB, and it DOES now sound like there is a missing piece of info somewhere between your setup vs the instructions.
Also try reformatting the stick from windows again, try both fat32 and ntfs. (Should be NTFS). It's possible you have a stick formatted elsewhere that is valid but is missing something that eclipse missed.
dreniarb@reddit
Just not seeing anything even in there.
I'm guessing that this exploit, if it does exist, initially requires admin level access to the OS. So someone simply having access to the device isn't enough.
if that's the case I will definitely sleep better tonight.
fosf0r@reddit
They are in the GitHub, you're supposed to download the whole tree from -> https://github.com/Nightmare-Eclipse/YellowKey/tree/main/FsTx
Friendly_Guy3@reddit
Have you tried to turn on hidden files ? A physical attacker with some free time at the device ,can put a modified USB stick in the vun. Computer . The PC needs just to be on the lock screen to get in to the PC . No user needs to be locked in .
thinmonkey69@reddit
I think you are supposed to copy the files from the repo to your USB.
SeattleITguy88@reddit
So what is my unique bitlocker key for? If it’s not needed to decrypt? It’s just there to look cool and cryptic.
STRATEGO-LV@reddit
Nothing really new in the regard that TPM only is not safe way to use bitlocker, it's just getting simpler to bypass it every year and it already was possible in 2016.
meatwad75892@reddit
I can't reproduce this on Win11 25H2 devices.
Those of you successfully reproducing this, are yall on 23H2/24H2?
sarge21@reddit
25h2, can reproduce.
sarge21@reddit
I just tried this with a Thinkpad and Thinkcentre. Thinkpad was on the previous windows patch, and was vulnerable. Thinkcentre was on the newest patch from yesterday and appears not to be.
lechango@reddit
Did you try recopying the folder to the flash drive after the first machine? Apparently whatever the bug is deletes some of the files after used.
sarge21@reddit
Yes. I got the command prompt but was unable to access c:\
I'm not smart enough to know if this means I'm actually safe or not
Hangikjot@reddit
hmm. Does this work if I copy the FsTx folder from one system to bypass bitlocker on another pc? or does it only work on the PC I'm on? when i have a minute i'll test.
cspotme2@reddit
You use the fstx files from GitHub
Generico300@reddit
State actors go to great lengths to put backdoors in open source software, but they almost always get exposed (See: The XZ attack). It's FAR easier to just pay someone at MS to put in a backdoor than it is to execute a supply chain hack in the open.
Mysterious-Loquat619@reddit
i forgot bitlocker password will this help ?
DavidNorena@reddit
basically what it does is that, you have a bitlocker disk that has stored the password to the TPM this tricks the TPM to release the password and unlock the disk on the recovery.
if you had a disk with bitlocker enabled but password was only on your head and not on the TPM i dont think it will work tho
cspotme2@reddit
I have to get my hands on a test machine ...
The presence of the files on the USB at any bitlocker bootup (doesn't use pin) while going into recovery mode decrypts it all when the cmd prompt becomes available?
If true, these ms engineers are dumb as shit.
Whatever they did to this researcher ... I hope he keeps exposing their shitty code and logic.
wason92@reddit
"If true, these ms engineers are dumb as shit."
Or its by design
cspotme2@reddit
well, if you mean .. a backdoor by design for some gov entity, yes.
Iv4nd1@reddit
Maybe you ask too many questions.
I would be wary of the glowies if I were you
nv1t@reddit
Yes...here is the catch. in recovery mode it is always unencrypted. the catch is, that it is normally locked, when you open a cmd.
MS Research did a talk on that during last Chaos Communication Congress and they found several bypasses in the recovery process which bypasses this mechanism. This seems to be another one, which they didn't find
rejectionhotlin3@reddit
The crux of it is - Microsoft "security" as a whole has always been Swiss-cheese. This doesn't surprise me. Makes far more sense in the context of data recovery, with bitlocker being default holding your data hostage and giving people first party ransomware isn't a great business model. The honest truth is that if you have physical access to the machine + enough time, anything and everything can be vulnerable.
moesizzlac69@reddit
Tbh I'm not really shocked nor surprised, was only a question of time, fuck those US backdoors
xendr0me@reddit
So it's going to need physical access as a minimum either to access the workstation or plant a IP KVM, but since WinRE is available to standard users, your best bet is probably disable WinRE - reagentc /disable
Weary-Bear7923@reddit
Even with recovery environment disabled, i Wonder if it works when we boot from a usb key
ice456cream@reddit
Unless I'm misunderstanding smth, I don't think they would be able to unseal the tpm protected keys. Recovery can since it's still the trusted boot flow
nv1t@reddit
Yes...that's what MS Researcher showed during last Chaos communication congress. they found several bypasses in the recovery flow. Bitlocker is unlocked and is relocked, when you open a cmd, usually.
mixduptransistor@reddit
Bitlocker is meant to protect specifically when someone has physical access. It's not really useful for remote attack/access scenarios
ledow@reddit
Doesn't really matter - it's not like it's a computer compromise.
Bitlocker is there to secure your data when it's already in someone else's physical possession.
Looks like it fails utterly at that, and probably deliberately by the look of it.
Aperture_Kubi@reddit
So since it's using WinRE triggered from the Windows Bootloader, password protecting the bios' boot menu won't mitigate this right?
ohioleprechaun@reddit
That is correct.
SlayerXearo@reddit
Reminds me on my post i did 9 month ago with 4 downvotes. Funny
https://www.reddit.com/r/cybersecurity/comments/1mezxpe/comment/n6dek78/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
FreeK200@reddit
This is obviously bad, but to say that Bitlocker is useless is nonsensical. It stops the well-informed but ill-intentioned user from using a boot cd to escalate to local admin in a corporate environment, and it helps keep the data of the average joe safe should they decide to get rid of a drive without wiping it first. Having seen users get up to things such as replacing accessibility tools with command prompts and the like, you should definitely be appreciative of the former.
In any case, in an actual high security environment, you should be using TPM+PIN with Network Unlock at a minimum. Remote users will need to remember a PIN, but it completely eliminates the hassle and inherent insecurity of managing PINs for shared devices on premises.
greenstarthree@reddit
Is it a silly question (or wishful thinking( to ask whether this still works on a machine with updated 2023 secure boot certificates
TimePlankton3171@reddit
Will test later
bakonpie@reddit
it is mitigated since one you complete the migration the 2011 PCA certificate is removed from being trusted in the secure boot database.
mixduptransistor@reddit
This has nothing to do with secure boot
publicdomainadmin@reddit
Just tested on 3 PCs, works great. Jeeze.