Microsoft's worst 'Nightmare' unleashes BitLocker bypass 0-day

Nightmare Eclipse, the prolific zero-day vulnerability hunter with an axe to grind against Microsoft, released yet another exploit late Wednesday that the researcher claims will spawn a command prompt that provides total access to the BitLocker volume. This bug, called GreatXML, was an accidental discovery," according to the researcher, who said it only took four hours to find. They claim this exploit (published on GitHub and Git-based code-hosting platforms) can bypass BitLocker on any system that has ever run a Microsoft Defender Offline scan at any point in the past. GreatXML comes just a day after Nightmare released exploit code for RoguePlanet, which allows local privilege escalation and leads to SYSTEM-level control over an affected machine. This brings the researcher's zero-day count to eight. The earlier six - RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma - all have patches as of this week's Patch Tuesday event. Redmond on Wednesday told The Register that it is aware of RoguePlanet, and actively investigating the validity and potential applicability of these claims." The Windows giant didn't immediately respond to our inquiries about GreatXML, including when it planned to issue a patch. Microsoft has said none of the vulnerabilities were reported via its official channels prior to being made public. The company also banned Nightmare's earlier GitHub account, and seemingly threatened legal action before dialing back its rhetoric after steep backlash from the security community. Nightmare Eclipse, who some researchers suggest is an ex-Microsoft employee, harbors a very personal grudge against the Windows giant and its communications with bug hunters. They have promised to keep the zero-days coming, but waffle on the timing. Last month, the researcher pledged a big July 14 drop: I will make sure your bones are shattered that day," and then added, nothing will be released this June (or maybe I will release smtg, depending on circumstances)." On Tuesday, they changed course. I will be unable to mass disclose zerodays in July 14th, RoguePlanet took way more time than expected and truly drained me. I might take a break but I can't say for sure what I will be doing for next month, maybe it's nothing, maybe it's smtg." A day later, Nightmare released the accidental" GreatXML BitLocker bypass. According to the researcher, the BitLocker bypass first requires copying unattend.xml" and the Recovery" directory to the root of the recovery partition. The next step is rebooting into WinRE by Shift-clicking Restart. If everything was done correctly, a shell with unrestricted access to the bitlocker volume will spawn," Nightmare wrote. Also, if the scan hasn't even been initiated on the Windows system, first you'd need to either log in and initiate it, or figure out a way to boot into WinRE in offline scan state." Security sleuth Will Dormann followed Nightmare's steps to reproduce GreatXML, and said the writeup seems flawed." In his testing, Dormann said the command prompt appeared the next time a Defender Offline scan ran. And in order to trigger a Microsoft Defender Offline scan, you both need to be logged in to Windows, and also have admin credentials," he wrote on social media. And if you've already got that level of access, you can just turn off bitlocker." The writeup for GreatXML suggests that the prerequisite is that Windows Defender Offline has been executed at some point in the past," Dormann added. And that after planting two files in WinRE, all you need to do is [Shift]-reboot into WinRE, and Windows will automatically go into Microsoft Defender Offline scan mode. But this is not the case in any of the 3 lineages of Win11 that I have handy." (R)