There’s a vulnerability that gives any user local admin privileges, equivalent to root on Linux, on Windows 10 machines through a command line interface. This can be done by holding down two keys while the operating system is updating. The bug gives access to a computer’s hard drive even if it is encrypted with BitLocker. Here are the details.
Sami Laiho, the security researcher that found the bug, explains how this security flaw works and why it works when you update Windows 10 to a new build:
“The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker.”
BitLocker was introduced to Windows operating systems from Vista onwards and is used for full disk encryption. The command prompt that is launched gives you administrator privileges as well as access to the hard drive, even if it’s encrypted with BitLocker.
Laiho has successfully tested the exploit on a handful of Windows 10 systems updating to major builds (think Anniversary and November updates). The bug also affects updates to preview builds that are released to Windows Insiders.
Of course, attackers would need physical access to an affected machine but considering Microsoft is still preparing a fix for the bug, we’d still suggest that you take precautionary measures. Laiho himself recommends the following:
- Don’t allow unattended upgrades.
- Keep very tight watch on the Insiders.
- Stick to the long term service branch (LTSB) version of Windows 10 for now, if you can.
You can check out a demonstration of this bug over at Laiho’s blog.
Comments
5 responses to “Windows 10 Update Bug Grants ‘Root’ Access And Bypasses BitLocker With Just Two Keys”
A fix for the bug would be disabling troubleshooting from WinPE? Please no.
I’m more concerned about this:
Does this mean that BitLocker needs to be running for the encryption to be enforced? Or is this simply a mistake and it means that BitLocker is used to decrypt the drive. Surely the default state should be encrypted and inaccessible, and only with BitLocker enabled, running, and with the appropriate key should the data be accessible?
I guess it doesn’t need to be constantly running, because that would imply you could plug the drive into another PC and read its contents which would be pretty useless.
I take it to mean BitLocker decrypts the drive before the update begins. Interrupting the update process then gives you access to the already decrypted drive.
Bit locker decrypts certain parts of the windows system that need to be changed as part of the update. It doesn’t decrypt your whole drive. This bug in essence is a minor issue as you can get root access through various ways when logged in anyway.
FYI, this can be mitigated by placing a tag file called DisableCMDRequest.tag under %windir%\Setup\Scripts.
This’ll impede launching the command prompt during an upgrade.
Sourced from The Hacker News;
http://thehackernews.com/2016/11/windows-bitlocker-bypass.html