Microsoft BitLocker – YellowKey zero-day exploit

查看原文 / View Original 编辑 / Edit

Microsoft BitLocker – YellowKey Zero-Day Exploit

There’s nothing more dangerous than a bored engineer with a screwdriver, and hell hath no fury like a security researcher scorned. Last month, Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) published two zero-day exploits, BlueHammer and RedSun, that made Windows Defender offer up system administrator privileges. They did this after their disclosure reports were allegedly dismissed by Microsoft’s security team, resulting in a vendetta of sorts.

没有什么比一个拿着螺丝刀的无聊工程师更危险的了,也没有什么比被轻视的安全研究人员更愤怒的了。上个月,安全研究员 Chaotic Eclipse(又名 Nightmare-Eclipse)发布了两个零日漏洞:BlueHammer 和 RedSun,它们能让 Windows Defender 授予系统管理员权限。此前,他们向微软安全团队提交的漏洞报告据称遭到了无视,这导致了一场某种意义上的“复仇”。

Eclipse has now done it again, posting two new zero-day exploits, the first one an extremely serious BitLocker exploit named Yellow Key that grants full access to a locked drive. The second one, GreenPlasma, doesn’t have a complete proof-of-concept (PoC), but it allegedly performs a local privilege escalation and gains system-level access. Given Eclipse’s track record, it’s a fair bet that it works as advertised.

Eclipse 如今再次出手,发布了两个新的零日漏洞。第一个是名为 YellowKey 的极其严重的 BitLocker 漏洞,它能授予攻击者对锁定驱动器的完全访问权限。第二个漏洞名为 GreenPlasma,虽然目前没有完整的概念验证(PoC),但据称它能执行本地权限提升并获得系统级访问权限。鉴于 Eclipse 此前的记录,完全有理由相信这些漏洞如其所述般有效。

YellowKey can be triggered simply by merely copying some files to a USB stick and rebooting to the Windows Recovery Environment. We tested this ourselves, and sure enough, not only does it work, it bears all the hallmarks of a backdoor, down to the exploit’s files disappearing from the USB stick after it’s used once.

YellowKey 的触发方式非常简单:只需将一些文件复制到 USB 闪存盘,然后重启进入 Windows 恢复环境即可。我们亲自进行了测试,结果确实如此——它不仅有效,而且具备了后门的所有特征,甚至在漏洞利用一次后,相关文件会自动从 USB 闪存盘中消失。

The process is dead simple: grab any USB stick, get write access to the “System Volume Information,” and copy into it the “FsTx” folder and its contents. Shift+click Restart to get Windows to the recovery environment, but then switch to holding down the Control key and don’t let go. The machine will reboot, and without asking any questions or showing any menus, will drop you in an elevated command line with full access to the formerly Bitlocked drive, without asking for any keys.

操作过程极其简单:拿一个 USB 闪存盘,获取对“System Volume Information”文件夹的写入权限,并将“FsTx”文件夹及其内容复制进去。按住 Shift 键点击重启以进入 Windows 恢复环境,随后按住 Control 键不放。机器重启后,不会弹出任何询问或菜单,直接进入一个高权限的命令行界面,让你在无需任何密钥的情况下,完全访问原本被 BitLocker 加密的驱动器。

To say that this is dangerous is an understatement. Not only is it an immediate concern as BitLocker cannot be trusted for encrypting drives, but the way the exploit executes and its files disappear also raises very uncomfortable corporate and/or political questions. YellowKey also reportedly works in Windows Server 2022 and 2025, but not in Windows 10.

说这很危险都算是轻描淡写了。这不仅是一个迫在眉睫的问题,因为 BitLocker 已不再值得信任,而且该漏洞的执行方式及其文件自动消失的特性,也引发了令人不安的企业和/或政治层面的质疑。据报道,YellowKey 也适用于 Windows Server 2022 和 2025,但不适用于 Windows 10。

BitLocker protects millions of machines worldwide across home, enterprises, and governments, especially as it’s enabled by default in Windows 11. As far as we can tell, a drive can’t be taken from machine Alice and opened in machine Bob because the encryption keys are in Alice’s TPM, but it’s not hard to just up and steal a laptop, mini-PC, or even desktop.

BitLocker 在全球范围内保护着数以百万计的家庭、企业和政府机器,尤其是在 Windows 11 中它是默认开启的。据我们所知,驱动器无法从 A 机器拆下并在 B 机器上打开,因为加密密钥存储在 A 机器的 TPM 中,但直接偷走笔记本电脑、迷你 PC 甚至台式机并非难事。

Eclipse notes that using a full TPM-and-PIN setup doesn’t help, as apparently, they have a variant for that scenario that they haven’t published a PoC for. They also state the vulnerability is well-hidden, and that they “could have made some insane cash selling this, but no amount of money will stand between me and my determination against Microsoft.”

Eclipse 指出,即使使用完整的 TPM+PIN 设置也无济于事,因为他们显然针对该场景还有一种变体漏洞,只是尚未发布 PoC。他们还表示,该漏洞隐藏得非常深,并称“我本可以通过出售它赚取巨额财富,但任何金钱都无法阻挡我对抗微软的决心。”

As for GreenPlasma, it’s supposed to get an attacker full system-level access (even higher than administrator) by manipulating the CTFMon process into placing a crafted memory section object — a slice of memory that can be shared between processes or mapped to a file — in any Windows’ Object Manager section the SYSTEM user has write access to, bypassing regular access controls.

至于 GreenPlasma,它旨在通过操纵 CTFMon 进程,将一个精心构造的内存段对象(一种可以在进程间共享或映射到文件的内存切片)放置在 SYSTEM 用户具有写入权限的任何 Windows 对象管理器段中,从而绕过常规访问控制,使攻击者获得完整的系统级访问权限(甚至高于管理员权限)。

From thereon, the exploit code can get access to regions of memory they’re not meant to and leverage that for any number of shenanigans, the most obvious one being getting full system access. This is bad enough for a desktop system, as any program can get full access, but it’s particularly bad for server environments, where any regular user can get control of the server and, by extension, everyone else’s data.

此后,漏洞代码可以访问本不应访问的内存区域,并利用这一点进行各种恶意操作,最直接的就是获取完整的系统访问权限。这对桌面系统来说已经够糟糕了,因为任何程序都能获得完全控制权;而对于服务器环境来说则更为严重,任何普通用户都可以借此控制服务器,进而获取所有人的数据。

Meanwhile, as of this writing, there is no official response from the company about YellowKey or GreenPlasma. BlueHammer has already been patched, and Chaotic claims that Microsoft silently patched RedSun, but there’s no official word on that either.

与此同时,截至本文撰写时,微软公司尚未就 YellowKey 或 GreenPlasma 做出官方回应。BlueHammer 漏洞已被修复,Chaotic 声称微软已悄悄修复了 RedSun,但对此也没有官方说明。

← 返回新闻列表 / Back to news list