A zero-day exploit circulating online allows people with physical access to a Windows 11 system to bypass default BitLocker protections and gain full access to an encrypted drive in seconds.
The exploit, named YellowKey, was released earlier this week by a researcher known under the pseudonym Nightmare-Eclipse. It reliably bypasses Windows 11’s default deployments of BitLocker, the full-volume encryption protection provided by Microsoft to make disk contents inaccessible to anyone without the decryption key, which is stored in a secure piece of hardware known as a Trusted Platform Module (TPM). BitLocker is mandatory protection for many organizations, including those that contract with governments.
Understanding the YellowKey Exploit
The heart of the YellowKey exploit is a custom FsTx folder. Online documentation for this file is difficult to find. As explained later, the directory associated with the fstx.dll file appears to involve what Microsoft calls transactional NTFS, which allows developers to have “transactional atomicity” for file operations in transactions with a single file, multiple files, or those that span multiple sources.
The Exploit in Action
The steps to carry out the bypass are simple:
- Copy the custom FsTx folder from the Nightmare-Eclipse exploitation page to a USB drive in NTFS or FAT format.
- Connect the USB drive to the BitLocker protected device
- Start the device and immediately press and hold the button. [Ctrl] key
- Enter Windows Recovery
There are at least two ways to achieve the third step. One solution is to start Windows, holding down the key [Shift] key, click the power icon and click restart. Another is to turn on the device and restart it as soon as Windows starts to boot.
Implications for Security
In both cases, a command prompt (CMD.EXE) appears. The prompt has full access to the entire content of the drive, allowing an attacker to copy, modify, or delete it. In a normal Windows recovery flow, the attacker will need to enter a BitLocker recovery key. Somehow, the YellowKey exploit bypasses this protection. Several researchers, including Kevin Beaumont and Will Dormann, have confirmed the exploits described here.
It is unclear what exactly in the custom FsTx folder is causing the bypass. Dormann said this appears to be related to Transactional NTFS, which itself uses a command log file system under the hood. Dormann further noted that looking at Windows’ fstx.dll will see code that explicitly looks for System Volume InformationFsTx in the FsTxFindSessions() function.
For more detailed insights, visit the original article on Ars Technica.
“`
