Nightmare-Eclipse Drops Another BitLocker Bypass After YellowKey Patch
The new exploits are called "RoguePlanet," which corresponds to a Windows Defender vulnerability, and "GreatXML," which corresponds to a BitLocker bypass vulnerability. Compared to the last six exploits though, these two seem a little less severe, despite all of the media attention.
RoguePlanet
RoguePlanet relies on a race condition in Windows. Even according to Nightmare-Eclipse, "it's a hit or miss" with varying success rate on different machines, and limited to Windows 11 and Windows 10. Nightmare-Eclipse believes that the vulnerability could be used against Windows Server, but that it would need to be redesigned to do so.
In any case, RoguePlanet shouldn't be ignored--if successful, the exploit spawns a System CMD shell with full administrator rights that would allow any user with direct access to a PC to gain full control of it, which could obviously be disastrous in many situations.
GreatXML
GreatXML, the newer of the two exploits, is more interesting. Nightmare-Eclipse claims that the exploit will work on any Windows 11 machine where a Microsoft Defender scan was previously run offline, and that by copying relevant files to the WinRE partition, a shell with unrestricted BitLocker volume access will spawn.
Eclipse also claims that if the offline scan was never done previously, you'll need to login and run it yourself or "figure out a way to boot into WinRE in offline scan state."
Per The Register's coverage and Will Dormann, though, GreatXML doesn't actually seem to work. Dormann tested the exploit as claimed and noted that the CMD shell doesn't spawn until Defender Offline is run again, and that since you need to be an admin logged into Windows to perform that, you could just turn off BitLocker anyway.
Dormann's testing extended across three different versions of Windows 11, and GreatXML simply didn't work.
