Gain local admin at Windows login screen w/BitLocker?

Posted by computerlove87@reddit | sysadmin | View on Reddit | 14 comments

I promise, this isn't a dumb tech support request or a "help me hack \_\_\_\_". This is actually to help me prove a petty point to a coworker who I was arguing with LOL... My point was that it is slightly less secure to allow Bitlocker to store the PIN in the TPM and automatically boot than it is to use a manual Bitlocker PIN on boot. My reasoning is that there are many past vulnerabilities and possibly some current ones that allow you to gain admin access to a PC that you have physical access to that is currently booted and sitting on the sign-in screen. You could plug that PC into a network and hack it over the network, and I have seen malicious flash drives be able to do this without even restarting the PC. The question is: I know I have seen it done before, but I can't remember exactly where or how. Obviously, the standard replacing utilman.exe procedure won't do it because in this scenario, we would have physical access to a PC, but wouldn't have the Bitlocker PIN or key, which would be required when booting to a flash drive and trying to perform that particular trick... Tried googling around, but I only wind up with a million results for that exact same utilman hack! Does anyone have specific info on vulnerabilities that work like that?

14 Comments

[-]

computerlove87@reddit (OP)

Thanks everyone! I was able to prove my point LOL

Pleasant-Seat9884@reddit

I remember when that horrible CrowdStrike incident happened, many people couldn’t get into their machines, and couldn’t find their Bitlocker key, then someone found a way to get around Bitlocker to go in Safe Mode easily.

laserpewpewAK@reddit

Lots of non or wrong answers here. You're right but not for the reason you think. Your bitlocker key is always stored in the TPM. Using *just* the TPM, it's possible to use specialized hardware to read the key as it is passed to the CPU during boot. Adding a PIN means the TPM will not release the key until the PIN is entered. Because the key is not released without the PIN you can't sniff the bus to the CPU making it very difficult to bypass. Modern TPMs will shut down after some number of incorrect PIN attempts making brute-forcing difficult, too. To answer your question, there are ways to attack a live machine, the most common being sniffing the memory bus or reading RAM directly after shutting the system down (RAM retains its data for a few seconds). There are no viable attacks against a modern OS that you can execute straight from the login screen without physical or offline tampering though.

Ssakaa@reddit

> There are no viable attacks currently known*

Borgquite@reddit

As well as YellowKey (which will hopefully get patched), Bitlocker + PIN protects you against other trivial physical attacks like this: https://pulsesecurity.co.nz/articles/TPM-sniffing

St0nywall@reddit

Bitlocker + PIN is apparently compromised as well, the researcher just declined to publish a POC for it .

You’re right - although as there’s no public POC for TPM+PIN at present, adding a PIN does have benefits right now (and once the YellowKey vulnerabilities are patched, a PIN will still mitigate against TPM sniffing).

Master-IT-All@reddit

If I have physical access to a device, nothing can stop me if the drive can be decrypted. It's been as simple as running a command to reset the Administrator ID on a Windows system. From back in the day to now, same NT crack will work because the Administrator ID is always the same and in the same place. Just flip a bit, to enable, write a new password to the local SAM database and you're in like flynn.

Auto unlock is *supposed* to, via secureboot et al, only happen when the stars align an you're booting from that drive on that hardware, into that signed bootloader, etc. It's never stopped attacking the physical live ram et. al., though. Never releasing the key via pin *should*.

> store the PIN in the TPM That's not how that works. No pin is no pin. Using pin is requiring/providing a key to unlock the tpm itself to release the bitlocker key protector. The bitlocker key protector is stored in the tpm in both cases. Start with learning it properly before arguing with people about it. That aside, there are attacks that are possible against a booted, pre-login, os. There are also possible physical attacks on the tpm key release process depending on the hardware design. Requiring pin means that key isn't released automatically to be attacked.

ddBuddha@reddit

Apparently you can do this now lol good luck.

HankMardukasNY@reddit

Google YellowKey

CeC-P@reddit

Bro beat me to it loooool.

kona420@reddit

The common hole is the recovery environment after unlocking the drive. That's where the new green plasma exploit is exploiting. But also, consider that if you can boot the system you can now attack it through the network, the console, the usb ports, thunderbolt, pci-e bus, you can do more physical attacks like cryogenically freezing the memory chips and rebooting into your own environment to recover keys, you can exploit system management buses lord knows intel has had a few firmware exploits. There are always more exploits out there than are published too. Of course, this is assuming the bitlocker implementation is secure, which apparently it is not as the yellowkey vulnerability is allowing bypass of preboot pin right now, using a flash drive.

Reply to Post

14 Comments