Windows security expert and infrastructure trainer Sami Laiho has discovered a simple method of bypassing BitLocker during the Windows 10 update procedure.
Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges.
SHIFT + F10 for the win!!!
This CLI debugging interface grants the attacker full access to the computer's hard drive, despite the presence of BitLocker.
The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system.
"This [update procedure] has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine."
Microsoft working on a fix
Laiho says that he informed Microsoft of the issue and the company's engineers are working on a fix.
During his tests, the Windows 10 security expert says he successfully brought up the CLI troubleshooting interface when performing an update from Windows 10 RTM to version 1511 (November Update) or version 1607 (Anniversary Update).
The CLI also popped up during updates to any newer Windows 10 Insiders Build version, up to the end of October 2016.
How can this be exploited?
The most obvious exploitation scenario is when a user leaves his computer unattended during the update procedure. Windows updates have a reputation of taking ages to install, and in most companies, employees tend to take a break, go out for coffee, or leave the computer to update while they leave for home.
During this time, a malicious insider or threat actor can open the CLI debugger and perform malicious operations under a root user, despite BitLocker's presence.
But there are other scenarios where Laiho's SHIFT + F10 trick can come in handy. For example when police have seized computers from users who deployed BitLocker or when someone steals your laptop.
Windows 10 defaults make this issue easy to exploit
In an email conversation with Bleeping Computer, Laiho reveals that because of certain defaults in Windows 10 configurations, computers might be forced to performed an update, even if a user is not present, or has logged on for a long period of time.
"At some point, every computer that is not managed by WSUS/SCCM or such will force the installation of a new version of Windows," Laiho tells Bleeping Computer. "Microsoft has decided that these will be forced by default."
"So Windows will download and install whether the owner is there or not. When will it happen, that I can’t say for sure, but there will be certain times when this will be more probable based on this [Windows 10 release schedule]. My aim with this blog is to, of course, make sure they fix it before the next big wave hits."
"Based on my contacts about this, the biggest issue is a user who has a limited user account and will use this to elevate himself to an admin," Laiho adds. "This can be done in two ways: either when a real upgrade happens or by social engineering an admin to change his computer to be part of the Windows Insiders program. These upgrades take place even two times in a single week."
Some countermeasures and recommendations
Because of this, Laiho recommends that users not leave their computers unattended during a Windows 10 update and that users remain on Windows 10 LTSB (Long Time Servicing Branch) versions for the time being.
"The LTSB-version of Windows 10 is not affected by this as it doesn’t automatically do upgrades," Laiho said.
Furthermore, Laiho says that Windows SCCM (System Center Configuration Manager) can block access to the command-line interface during update procedures if users add a file named DisableCMDRequest.tag to the %windir%\Setup\Scripts\ folder.
Comments
Tohur - 7 years ago
you have the builds wrong, version 1511 is the November Update and version 1607 is the Anniversary Update
GT500 - 7 years ago
Correct, 1607 is definitely the Anniversary Update (my 64-bit VM did not want to install it either).
As for 1511, according to Ars Technica, "...it's Version 1511 (OS Build 10586.3) as in, 11th month of 2015.":
http://arstechnica.com/information-technology/2015/11/windows-10-november-update-features-fixes-and-enterprise-readiness/
campuscodi - 7 years ago
Fixed. Thanks.
Windows10Promocode - 7 years ago
Never been that trusting of the modern version of Windows Update. Seems to "not see" updates sometimes. Version 1511 downloading now.finally.When i tried this it gets stuck at the 44% mark. windows 10 promo code
Computerforensics - 7 years ago
Cool I must try that exploit and test it out!
http://compute-forensics.com/
Th3_pl2oph1t - 7 years ago
Shift F10 is not really a new exploit. Its been around for a long time. anytime you are in an install environment you can do it. You can also boot from a win7 flash and do the same thing. Or simply unplug your hard drive, boot in linux and then connect your drive with an external dock and voila. Just saying, few options are available to protect your computer if someone is physically there other than bios system password. Still the most reliable method imo.