An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON).
The security defects have been codenamed YellowKey and GreenPlasma, respectively, by the researcher, who goes by the online aliases Chaotic Eclipse and Nightmare-Eclipse.
The researcher described YellowKey as “one of the most insane discoveries I ever found,” likening the BitLocker bypass to functioning as a backdoor, as the bug is present only in the Windows Recovery Environment (WinRE), a built-in framework designed to troubleshoot and repair common unbootable operating system issues.
YellowKey affects Windows 11 and Windows Server 2022/2025. At a high level, it involves copying specially crafted “FsTx” files on a USB drive or the EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into WinRE, and triggering a shell by holding down the CTRL key.
“I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden,” the researcher explained. “Second thing is, no, TPM+PIN does not help, the issue is still exploitable regardless.”
Security researcher Will Dormann, in a post shared on Mastodon, said, “I was able to reproduce [YellowKey] with a USB drive attached,” adding, “it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment.”
“While the TPM-only BitLocker bypass is indeed interesting, I think the buried lede here is that a \System Volume Information\FsTx directory on one volume has the ability to modify the contents of another volume when it is replayed,” Dormann pointed out. “To me, this in and of itself sounds like a vulnerability.”
The second vulnerability flagged by Chaotic Eclipse is a case of privilege escalation security that could be exploited to obtain a shell with SYSTEM permissions. It arises as a result of what has been described as Windows CTFMON arbitrary section creation.
The released proof-of-concept (PoC) is incomplete and lacks the necessary code to obtain a full SYSTEM shell. In its current form, the exploit can allow an unprivileged user to create arbitrary memory section objects within directory objects writable by SYSTEM, potentially enabling manipulation of privileged services or drivers that implicitly trust those paths, as a standard user does not have write access to the locations.
The development comes nearly a month after the researcher published three Defender zero-days dubbed BlueHammer, RedSun, and UnDefend after allegedly expressing dissatisfaction with Microsoft’s handling of the vulnerability disclosure process. The shortcomings have…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
