From 9e8472bf6b9a2739c5b0561a58e1836ee23c7c1c Mon Sep 17 00:00:00 2001 From: zc <2650838+Wack0@users.noreply.github.com> Date: Tue, 16 May 2023 18:36:52 +0100 Subject: [PATCH] Revert "CVE-2022-41099: add more details, you have to patch the bitlocker metadata on-disk to "remove" any recovery keys first" This reverts commit 91b5504ed14e02a3a74cf3c185355d81d3b41a78. --- readme.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/readme.md b/readme.md index c068968..9065b32 100644 --- a/readme.md +++ b/readme.md @@ -76,14 +76,6 @@ This means pressing an arrow key during `bootmgr` startup to force the boot menu Exploitation involves: * **Dump the bitlocker protected osvolume to a disk image.** This method to get the FVEK leads to actual data loss! -* You need to remove any key protector of type recovery key from the volume. This involves hex editing the disk. Make sure you have a clean dump first! - * Take a look at [the format documentation from libbde](https://github.com/libyal/libbde/blob/main/documentation/BitLocker%20Drive%20Encryption%20(BDE)%20format.asciidoc#512-fve-metadata-block-header-version-2--windows-7-and-later) for additional information. - * I searched for `-FVE-FS-` to find the metadata block initially (the first occurance of this will be in the BPB, not the metadata block) - * There are three copies of the metadata block on disk, you will need to edit them all. - * After finding the first copy of the metadata block I searched for the computer name in the description entry to find the rest. - * After finding a metadata block: - * Search for `02 00 08 00` to find a VMK entry (entry=`0x0002` meaning VMK, data type=`0x0008` meaning VMK) - * If the key protection type later on is `00 08` (`0x0800` meaning recovery key) then patch the `02 00 08 00` from earlier to `FF FF 08 00`. * Boot to WinRE using whatever means (force it by startup repair if needed, or just set bootsequence BCD element, etc). * Start a reset (Troubleshoot -> Reset this PC -> Remove everything). It's quicker to choose "Local reinstall". Be sure to choose "Just remove my files". * Choosing to "keep files" will ask for recovery key.