A recently uncovered zero-day exploit, dubbed YellowKey, poses a significant risk to Windows 11 systems by enabling individuals with physical access to bypass the default BitLocker encryption protections. This vulnerability, revealed by the researcher known as Nightmare-Eclipse, allows unauthorized users to gain complete access to encrypted drives in mere seconds.
BitLocker, a full-volume encryption feature provided by Microsoft, is designed to secure disk contents from anyone lacking the decryption key, which is typically stored in a trusted platform module (TPM). This protective measure is particularly crucial for organizations, especially those engaged in contracts with governmental entities.
When one disk volume manipulates another
The essence of the YellowKey exploit lies in a specially crafted FsTx folder. Information regarding this folder is scarce online. It appears to be associated with what Microsoft refers to as transactional NTFS, a feature that allows developers to achieve “transactional atomicity” for file operations, whether they involve a single file, multiple files, or span across various sources.
The procedure to execute the bypass is straightforward:
- Transfer the custom FsTx folder from the Nightmare-Eclipse exploit page to a USB drive formatted with NTFS or FAT.
- Connect the USB drive to the BitLocker-protected device.
- Power on the device and immediately press and hold the [Ctrl] key.
- Access Windows recovery mode.
There are two methods to achieve the third step. One involves booting into Windows, holding down the [Shift] key, clicking on the power icon, and selecting restart. The alternative is to power on the device and restart it immediately after Windows begins to boot.
Upon entering recovery mode, a command prompt (CMD.EXE) emerges, granting full access to the entire drive’s contents. This access allows an attacker to copy, modify, or delete files without needing to input a BitLocker recovery key, as would typically be required in a standard recovery process. The YellowKey exploit effectively circumvents this critical safeguard. Esteemed researchers, including Kevin Beaumont and Will Dormann, have corroborated the functionality of this exploit as described.
The specific mechanism within the custom FsTx folder that facilitates this bypass remains unclear. Dormann suggests that it may relate to Transactional NTFS, which operates using a command-log file system. He further noted that examining the Windows fstx.dll reveals code that actively searches for System Volume InformationFsTx within the FsTxFindSessions() function.
