New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files

Key Points:

• Security researcher Chaotic Eclipse has disclosed a new Windows BitLocker bypass exploit called GreatXML, discovered accidentally within four hours.
• The exploit targets users who have used the Windows Defender Offline Scan feature, enabling attackers to gain unrestricted access to BitLocker-encrypted volumes through a crafted XML file placed in the recovery partition.
• To trigger the bypass, the system must be rebooted into the Windows Recovery Environment (WinRE) with specific files copied to the recovery partition, resulting in a shell with full BitLocker access.
• GreatXML follows shortly after the discovery of RoguePlanet, a zero-day Microsoft Defender flaw allowing local privilege escalation, and is the second BitLocker bypass by Chaotic Eclipse after YellowKey, which was patched by Microsoft recently.
• The researcher noted uncertainty about whether the exploit can be triggered without ever using Defender Offline Scan but suggested it may be possible to boot into WinRE in an offline scan state without logging in.