From db677548c46b7d6b038df5ad72c213ac72339300 Mon Sep 17 00:00:00 2001 From: 0scar07 Date: Fri, 15 May 2026 20:15:38 -0500 Subject: [PATCH] Updated README --- README.md | 123 +++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 112 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index d90dd45..8509a48 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,121 @@ # YellowKey -YellowKey Bitlocker Bypass Vulnerability +### YellowKey Bitlocker Bypass Vulnerability -Been a while since I saw a bitlocker bypass around, my turn. +![Platform](https://img.shields.io/badge/platform-Windows-blue) +![Target](https://img.shields.io/badge/target-BitLocker-red) +![Status](https://img.shields.io/badge/status-Research-orange) +![Affected](https://img.shields.io/badge/affected-Windows%2011%20%2B%20Server%202022%2F2025-critical) -This is one of the most insane discoveries I ever found, almost feels like **backdoor** but what do you know, maybe I'm just insane. +Been a while since I saw a BitLocker bypass around, my turn. -How to reproduce : -1. Copy the FsTx folder to "**YourUSBStick:**\System Volume Information\FsTx" as is and make sure to use a filesystem that's compatible with Windows (NTFS is preferable but I think FAT32/exFAT should work as well). Funny thing is, the vulnerability is extremely convenient, you don't even need to plug an external storage device, you can just pull out the disk, copy the files in the EFI partition, put it back and it will still work. That's how bad it is. -2. Plug the USB stick in your target windows computer with bitlocker protection turned on. -3. Reboot to Windows Recovery Environment Agent (you can do that by holding SHIFT and clicking on the restart button using your mouse) -4. Once you click on the restart button, lift your finger off the SHIFT key and hold CRTL and do NOT lift your finger off it. -5. If you did everything properly, a shell will spawn with unrestricted access to the bitlocker protected volume. +This is one of the most insane discoveries I ever found, almost feels like a **backdoor** but what do you know, maybe I'm just insane. + +--- + +# Affected Systems + +- Windows 11 +- Windows Server 2022 +- Windows Server 2025 + +Windows 10 does **NOT** appear to be affected. + +--- + +# How To Reproduce + +## 1. Copy FsTx + +Copy the `FsTx` folder to: + +```text +YourUSBStick:\System Volume Information\FsTx +``` + +Use a Windows-compatible filesystem: + +- NTFS (recommended) +- FAT32 +- exFAT + +Funny thing is, the vulnerability is extremely convenient, you don't even need an external storage device. + +You can literally: + +- Pull the disk out +- Copy the files into the EFI partition +- Put the disk back + +…and it will still work. + +That's how bad it is. + +--- + +## 2. Plug The USB Device + +Insert the USB stick into the target Windows machine with BitLocker enabled. + +--- + +## 3. Reboot Into WinRE + +Hold `SHIFT` and click the Restart button using your mouse. + +This boots the system into Windows Recovery Environment. + +--- + +## 4. Trigger The Vulnerability + +Once you click restart: + +- Release `SHIFT` +- Hold `CTRL` +- DO NOT release it + +--- + +## 5. Enjoy The Shell + +If everything was done correctly, a shell will spawn with unrestricted access to the BitLocker protected volume. + +--- + +# Demonstration shell +--- -Now why would I say this is a **backdoor** ? The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal windows installation but without the functionalities that trigger the bitlocker bypass issue. Why ? I just can't come up with an explanation beside the fact that this was intentional. Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not. +# Why Does This Feel Like A Backdoor? -A huge thanks to MORSE, MSTIC and Microsoft GHOST for making this public disclosure possible ;) +The component responsible for this bug: + +- Is not present anywhere publicly +- Does not appear on the internet +- Exists only inside the WinRE image + +What makes this even more suspicious is that the exact same component also exists in normal Windows installations with the exact same name — except without the functionality that triggers the BitLocker bypass. + +Why? + +I genuinely can't come up with an explanation besides the possibility that this behavior was intentional. + +Even stranger: + +- Only Windows 11 is affected +- Server 2022/2025 are affected +- Windows 10 is completely unaffected + +--- + +# Special Thanks + +Huge thanks to: + +- MORSE +- MSTIC +- Microsoft GHOST + +For making this public disclosure possible ;)