A disgruntled researcher who has been publishing zero-day Microsoft Windows vulnerabilities for the past several months released a new exploit Thursday that promises to bypass BitLocker encryption on locked devices. A well respected security expert reported that the exploit doesn’t work as initially described, but the researcher is looking for ways to fix it.
Dubbed GreatXML, the exploit is supposed to work from the Windows Recovery Environment (WinRE), a special boot mode in Windows from which startup issues can be troubleshooted. It also seems to be related to the Windows Defender offline scan feature.
“If Defender offline scan was initiated in the victim machine at any point then there is no need to login, the machine is automatically vulnerable,” the researcher, who goes online by the name Nightmare Eclipse or Chaotic Eclipse, said in the exploit notes. “If Defender offline scan was never initiated then you have to either login and initiate it yourself or figure out a way to boot into WinRE in offline scan state (I believe it should be very possible to do so without logging in).”
The requirement to log in is relevant here, because a system drive encrypted with BitLocker will be unlocked and decrypted when the user logs in. However, the whole point of a BitLocker bypass is to gain access to the unencrypted drive without having the credentials to log in, for example on a stolen laptop.
On machines where an offline Windows Defender scan was performed in the past, the exploitation is supposed to work by copying two files (unattend.xml and Recovery/WindowsRE/ReAgent.xml) provided by Nightmare Eclipse to the WinRE partition — this can be done from outside the OS because the WinRE partition is not encrypted — and then restart the system in WinRE mode.
“If everything was done correctly, a shell with unrestricted access to the BitLocker volume will spawn,” Nightmare Eclipse said.
However, Will Dormann, an experienced vulnerability analyst who investigated previous exploits released by Nightmare Eclipse, was not able to replicate the bypass using the provided instructions after trying on three versions of Windows 11.
“I think the writeup is flawed in that the spawned CMD.EXE happens on the NEXT time that a Microsoft Defender Offline scan is triggered,” Dormann said on his Mastodon account. “And in order to trigger a Microsoft Defender Offline scan, you both need to be logged in to Windows, and also have admin credentials. And if you’ve already got that level of access, you can just turn off BitLocker.”
Dormann’s observation would be consistent with Microsoft’s documentation, which states that triggering a Windows Defender offline scan requires administrative privileges and will trigger a reboot into WinRE mode for the scan to initiate. The point of the offline scan is to be executed from outside the OS to clean up kernel-level threats such as rootkits that might otherwise interfere with the regular Windows Defender process.
Nightmare Eclipse did not respond to Dormann’s report, but asked on X if anyone is aware of a way to trigger a Defender offline scan just by editing ReAgent.xml. This suggests the researcher is looking for an alternative way to trigger the exploit, but could be related to the scenario where a Defender offline scan was never executed in the past.
Eclipse’s own blog post about GreatXML disappeared from his blogspot.com site, but he claims this was Google’s doing (Google owns the Blogger service). The GitHub repository where he posted his previous zero-day exploits was also removed recently, supposedly by Microsoft, which owns GitHub, a move that drew criticism from many in the security community, as GitHub has been a safe place to store security research, including zero-day proof-of-concept exploits.
The researcher has a personal vendetta against Microsoft after claiming the company mistreated him and he has released eight zero-day exploits in Windows components so far. Some releases have been timed shortly after Microsoft’s Patch Tuesday to force the company to release out-of-band patches or wait until the following month.
This was also the case earler this week, when the researcher released a zero-day privilege escalation exploit in Windows Defender dubbed RoguePlanet and followed that up two days later with the alleged GreatXML BitLocker bypass.
Even if Dormann was not able to get the GreatXML to work, companies should still take the exploit seriously considering Eclipse’s track record of releasing functional zero-days. If there is a bug in the exploit, the researcher or someone else could fix it or find an alternative way to trigger it.
