A zero-day exploit, known as YellowKey, has been discovered that can grant full access to a BitLocker-protected drive using just a few files on a USB stick. This exploit, found by security researcher Chaotic Eclipse, has raised concerns about the security of Microsoft‘s encryption system.
The process of exploiting the vulnerability is relatively simple, requiring only a USB stick with write access to the “System Volume Information” and the “FsTx” folder and its contents. By rebooting to the Windows Recovery Environment and holding down the Control key, an attacker can gain access to the formerly BitLocker-protected drive without being prompted for a key.
Read Also: Tahoe Residents Face Power Outages Amid Data Boom
YellowKey has been tested and confirmed to work, and its files disappear from the USB stick after use, suggesting a potential backdoor. This exploit has significant implications, as BitLocker is used to protect millions of machines worldwide, including those in enterprise and government settings.
The exploit is particularly concerning because it can be used to access encrypted drives without the need for a key or password. According to Chaotic Eclipse, using a full TPM-and-PIN setup does not prevent the exploit, and they claim to have a variant that can bypass this setup, although no proof-of-concept has been published.
Another Exploit Discovered
In addition to YellowKey, Chaotic Eclipse has also published a second zero-day exploit, known as GreenPlasma. This exploit allegedly performs a local privilege escalation, granting an attacker full system-level access by manipulating the CTFMon process.
GreenPlasma works by creating a crafted memory section object that can be shared between processes or mapped to a file, allowing an attacker to bypass regular access controls and gain access to regions of memory that would normally be restricted. This exploit has significant implications for server environments, where any regular user can potentially gain control of the server and access sensitive data.
Microsoft has not officially responded to the discovery of YellowKey or GreenPlasma. While BlueHammer has been patched, there is no official word on whether RedSun has been silently patched, as claimed by Chaotic Eclipse. They chose to publish the exploits instead of selling them, citing their determination to expose Microsoft‘s security vulnerabilities.
Implications and Concerns
The discovery of these exploits has significant implications for the security of Microsoft‘s products and the trust that users place in them. The fact that they can be used to bypass BitLocker encryption and gain full system-level access raises concerns about the potential for data breaches and other security threats.
Users of Microsoft products, particularly those in enterprise and government settings, should be aware of these vulnerabilities and take steps to protect themselves, such as using alternative encryption methods or waiting for Microsoft to release patches for these exploits. Chaotic Eclipse has a history of discovering and publishing zero-day exploits, which suggests that YellowKey and GreenPlasma are likely to be legitimate exploits that can be used to compromise Microsoft products.
Leave a Reply