A recent discovery by security researcher Nightmare Eclipse has unveiled a critical vulnerability in Windows BitLocker, labeled as GreatXML. This exploit allows attackers to bypass BitLocker protection and access a command prompt with SYSTEM privileges while the system is in Recovery Mode. The exploit hinges on a vulnerability in Microsoft Defender's offline scan functionality. Systems that have initiated an offline scan even once are automatically at risk.
The researcher has provided proof-of-concept code that involves placing an XML file and a Recovery folder into the root of the computer's recovery partition. By rebooting the system into Recovery Mode, unrestricted access to the BitLocker-protected volume is granted. This vulnerability affects any Windows machine where Defender's offline scanning feature has been activated.
Nightmare Eclipse released GreatXML shortly after unveiling another zero-day flaw in Microsoft Defender, named RoguePlanet, which allows for local privilege escalation to SYSTEM. The researcher has been vocal about dissatisfaction with Microsoft's handling of vulnerability disclosures. In response to these security issues, Microsoft is working to patch several exposed vulnerabilities, including previous exploits such as BlueHammer and UnDefend, some of which have already been addressed in recent updates.