A zero-day exploit circulating online allows individuals with physical access to a Windows 11 system to bypass default BitLocker protections and gain complete access to an encrypted drive inside seconds.
The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the decryption key, which is stored in a secured piece of hardware often known as a trusted platform module (TPM). BitLocker is a compulsory protection for a lot of organizations, including those who contract with governments.
When one disk volume manipulates one other
The core of the YellowKey exploit is a custom-made FsTx folder. Online documentation of this folder is difficult to search out. As explained later, the directory related to the file fstx.dll appears to involve what Microsoft calls the transactional NTFS, which allows developers to have “transactional atomicity” for file operations in transactions with a single file, multiple files, or ones that span multiple sources.
The steps for carrying out the bypass are easy:
- Copy the custom FsTx folder from the Nightmare-Eclipse exploit page to an NTFS- or FAT-formatted USB drive
- Connect the USB drive to the BitLocker-protected device
- Boot up the device and immediately press and hold down the [Ctrl] key
- Enter Windows recovery
There are at the very least two ways to perform the third step. A method is in addition into Windows, hold down the [Shift] key, click on the facility icon, and click on restart. One other is to power on the device and restart it as soon as Windows starts booting.
In either case, a command (CMD.EXE) prompt appears. The prompt has full access to the complete drive contents, allowing an attacker to repeat, modify, or delete them. In a standard Windows Recovery flow, the attacker would want to enter a BitLocker recovery key. By some means, the YellowKey exploit bypasses this safeguard. Multiple researchers, including Kevin Beaumont and Will Dormann, have confirmed the exploit works as described here.
It’s unclear what within the custom FsTx folder causes the bypass. Dormann said that it appears to be related to Transactional NTFS, which itself uses command-log file system under the hood. Dormann further noted that by the Windows fstx.dll, one will see code that explicitly looks for System Volume InformationFsTx within the FsTxFindSessions() function.”