Security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, has unveiled a new exploit named GreatXML that bypasses Windows BitLocker encryption by leveraging Microsoft Defender’s offline scan feature. This discovery follows closely on the heels of their recent exploit targeting Microsoft Defender.
The GreatXML exploit operates by manipulating the Windows Recovery Environment (WinRE). To execute the exploit, an attacker must place a specially crafted XML file, ‘unattend.xml’, along with a ‘Recovery’ folder containing another XML file, ‘ReAgent.xml’, into the root directory of the system’s recovery partition. Subsequently, rebooting the system into WinRE—achieved by holding the Shift key while selecting ‘Restart’—triggers the exploit, granting the attacker a command prompt with SYSTEM privileges and unrestricted access to the BitLocker-protected volume.
According to Chaotic Eclipse, systems that have previously initiated a Defender offline scan are inherently vulnerable. The researcher noted, “If Defender offline scan was never initiated, then you have to either log in and initiate it yourself or figure out a way to boot into WinRE in offline scan state.”
This revelation comes shortly after the disclosure of RoguePlanet, another zero-day vulnerability in Microsoft Defender that facilitates local privilege escalation to SYSTEM level. Additionally, GreatXML is the second BitLocker bypass released by Chaotic Eclipse, following the earlier YellowKey exploit, which was addressed by Microsoft in recent Patch Tuesday updates.
The rapid succession of these exploits underscores the critical need for organizations to stay vigilant and promptly apply security patches. It also highlights the importance of scrutinizing and securing recovery environments, as they can become potential vectors for sophisticated attacks.
Source: The Hacker News
