đ The Attack Path â No Login, SYSTEM Access 1. Boot into setup.exe (via USB, PXE, or OOBM like Intel vPro). 2. Click âRepair your computerâ â Enter WinRE. 3. Press Shift + F10 â SYSTEM-level Command Prompt. 4. From there, attacker can: - Run `net user` to create new admin accounts - Use `diskpart` to wipe or reformat drives - Use `manage-bde -off` or `bcdedit` to disable BitLocker - Replace `utilman.exe` to bypass login - Implant persistence or backdoors
đ§ Why BitLocker Doesnât Save You - BitLocker is inactive in Setup or WinRE â the OS hasnât loaded, and the BitLocker driver isnât running. - If BitLocker is TPM-only (no PIN/USB), the drive is already unlocked at boot. - TPM 2.0 *can* block key release â but only if: - Secure Boot is enforced - PCR bindings are tightly configured - Boot order is locked - USB/PXE boot is disabled - OOBM is secured Most orgs donât meet all those conditions. Even if BitLocker triggers recovery, an attacker can still wipe the drive or implant malware. > CVE-2025-26637 and tools like BitUnlocker show how these vectors are being actively explored. 𧨠âBut We Have Immutable Backupsâ That protects data availability â not system integrity. If I implant malware or create a hidden admin account, youâll restore into a compromised environment. Immutable backups donât detect or prevent: - Credential theft - Persistence - Backdoored reboots - Silent compromise of trust đ Remote Risk: OOBM With Intel vPro, I can: - Mount virtual media - Boot into Setup or WinRE - Execute all of the above remotely, without touching the device Intelâs own docs highlight how vPro enables remote boot and media mounting â a dream for IT, and a gift for attackers if misconfigured. 𧹠This Isnât About âWasting Accessâ Itâs about how Microsoftâs own tooling enables unauthenticated SYSTEM access in environments that are supposed to be secure. If your only defense is âwell, thatâs by design,â then the design *is* the vulnerability. đ BIOS/UEFI Passwords: A Broken Mitigation Microsoft may argue that setting a BIOS/UEFI password mitigates this attack. But in practice, this âdefenseâ is deeply flawed: - **No visual feedback**: Users canât see what theyâre typing â no asterisks, no characters, nothing. - **No Caps Lock indicator**: If Caps Lock is on, users wonât know â and their input silently fails. - **No support for special characters**: Most firmware restricts input to basic alphanumeric characters. - **Short password limits**: Many systems cap passwords at 8â16 characters. - **No brute-force protection**: Some BIOS/UEFI setups donât lock out after failed attempts. The result? Users get scared, fumble their input, and retreat to normal boot â where the system is already unlocked and vulnerable. The illusion of security becomes the attack vector. If this is the only mitigation, then the system is fundamentally broken. â Darsh _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
