The mitigations rolled out by Microsoft, Tharros Labs senior principal vulnerability analyst Will Dormannsays, effectively prevent the FsTx Auto Recovery utility (autofstx.exe) from automatically running during the WinRE image’s initiation.The underlying vulnerability, Dormann explained last week, involves triggering FsTx from a USB drive when entering Windows Recovery to delete the winpeshl.ini file, which essentially controls WinRE’s behavior.The YellowKey exploit contains an FsTx directory that, when placed on a USB drive, relies on Transactional NTFS replay to delete the winpeshl.ini file in the System32 folder, resulting in the attacker being served a command prompt window with BitLocker unlocked, instead of the typical recovery mode.“While the TPM-only Bitlocker bypass is indeed interesting, I think the buried lede here is that a \System Volume Information\FsTx directory on one volume has the ability to modify the contents of another volume when it is replayed. To me, this in and of itself sounds like a vulnerability,” Dormannsaid.Related:Researcher Drops MiniPlasma Windows Exploit for Unpatched 2020 CVERelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:Microsoft Warns of Exchange Server Zero-Day Exploited in the WildRelated:Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises
The underlying vulnerability, Dormann explained last week, involves triggering FsTx from a USB drive when entering Windows Recovery to delete the winpeshl.ini file, which essentially controls WinRE’s behavior.The YellowKey exploit contains an FsTx directory that, when placed on a USB drive, relies on Transactional NTFS replay to delete the winpeshl.ini file in the System32 folder, resulting in the attacker being served a command prompt window with BitLocker unlocked, instead of the typical recovery mode.“While the TPM-only Bitlocker bypass is indeed interesting, I think the buried lede here is that a \System Volume Information\FsTx directory on one volume has the ability to modify the contents of another volume when it is replayed. To me, this in and of itself sounds like a vulnerability,” Dormannsaid.Related:Researcher Drops MiniPlasma Windows Exploit for Unpatched 2020 CVERelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:Microsoft Warns of Exchange Server Zero-Day Exploited in the WildRelated:Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises
The YellowKey exploit contains an FsTx directory that, when placed on a USB drive, relies on Transactional NTFS replay to delete the winpeshl.ini file in the System32 folder, resulting in the attacker being served a command prompt window with BitLocker unlocked, instead of the typical recovery mode.“While the TPM-only Bitlocker bypass is indeed interesting, I think the buried lede here is that a \System Volume Information\FsTx directory on one volume has the ability to modify the contents of another volume when it is replayed. To me, this in and of itself sounds like a vulnerability,” Dormannsaid.Related:Researcher Drops MiniPlasma Windows Exploit for Unpatched 2020 CVERelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:Microsoft Warns of Exchange Server Zero-Day Exploited in the WildRelated:Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises
“While the TPM-only Bitlocker bypass is indeed interesting, I think the buried lede here is that a \System Volume Information\FsTx directory on one volume has the ability to modify the contents of another volume when it is replayed. To me, this in and of itself sounds like a vulnerability,” Dormannsaid.Related:Researcher Drops MiniPlasma Windows Exploit for Unpatched 2020 CVERelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:Microsoft Warns of Exchange Server Zero-Day Exploited in the WildRelated:Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises
Related:Researcher Drops MiniPlasma Windows Exploit for Unpatched 2020 CVERelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:Microsoft Warns of Exchange Server Zero-Day Exploited in the WildRelated:Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises
Related:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:Microsoft Warns of Exchange Server Zero-Day Exploited in the WildRelated:Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises
Related:Microsoft Warns of Exchange Server Zero-Day Exploited in the WildRelated:Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises
Related:Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises
Ionut Arghire is an international correspondent for SecurityWeek.
Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.
Source: SecurityWeek
