Nightmare-Eclipse: GreenPlasma and YellowKey

GreenPlasma: Local Privilege Escalation (LPE)

Categorised as the "Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability," GreenPlasma exposes a critical flaw in how Windows handles memory-section object validation.

• The Vulnerability: It targets ctfmon.exe, a core Windows component managing alternative user input. The logic flaw resides in how the Collaborative Text Framework (CTF) protocol handles memory section objects; because ctfmon.exe must interact with both low-privileged user processes and high-privileged system components, it provides a unique bridge across security boundaries.  

• Exploit: GreenPlasma allows an unprivileged user to bypass standard Access Control Lists (ACLs) and create an arbitrary memory section (a \CSRSS_TEST_SECTION object) within a directory normally restricted to the SYSTEM account. These memory section objects can be shared across processes or mapped to files on disk.

• The Impact: Because core OS components and kernel-mode drivers blindly trust these restricted paths, an attacker could manipulate privileged services into executing malicious logic within a SYSTEM-level context.

• PoC Status: The public Proof-of-Concept (PoC) on GitHub is intentionally incomplete. It hangs at initial UAC prompts and lacks the final payload to spawn a full SYSTEM shell. However, security experts warn that the PoC provides more than enough information for a capable attacker to fold the vulnerability into a broader intrusion chain, allowing them to disable EDR agents and establish deep persistence.

• Affected versions: modern operating systems, including Windows 11, Windows Server 2022, and Windows Server 2025.

YellowKey: Physical BitLocker Bypass

YellowKey is a cryptographic bypass vulnerability that grants an attacker with physical access unrestricted, root-level shell access to a fully encrypted BitLocker volume. It subverts the chain of trust established between the Trusted Platform Module (TPM), the system firmware, and the Windows Recovery Environment (WinRE).

• The Target: It exploits a fundamental weakness in TPM-only BitLocker configurations. In this default setup, the Trusted Platform Module (TPM) automatically unseals the volume encryption keys during a trusted boot into WinRE. This is often configured to automatically repair the primary OS partition, the TPM chip frequently releases the BitLocker decryption keys to the WinRE environment without requiring a user password or recovery key.

• The Root Cause: WinRE uses a component (fstx.dll) that automatically replays unresolved TxF logs from the attached USB. Introduced in Windows Vista, TxF was intended to ensure file system consistency by replaying operations after a system failure. The malicious logs execute a cross-volume deletion, removing X:\Windows\System32\winpeshl.ini. Without this initialisation file, WinRE defaults to a SYSTEM-level command prompt (cmd.exe) instead of launching the recovery wizard. Because the TPM already unlocked the drive, the attacker gains total access to the decrypted file system.

‍

Execution Chain

1. Preparation and Provisioning: The attacker formats a standard external USB drive and replicates a highly specific directory structure derived from the Nightmare-Eclipse GitHub repository: \System Volume Information\FsTx.

2. The Transactional Payload: Inside this FsTx folder, the attacker places a crafted file featuring a specific hexadecimal identifier. This file contains highly structured transactional logs designed to be parsed by the Windows operating system.

3. Triggering the WinRE Boot: The attacker inserts the provisioned USB drive into the locked target machine and forces a boot into the Windows Recovery Environment (WinRE) Agent.

4. Payload Execution via Input Validation: As the system restarts and the WinRE boot sequence initialises, the attacker utilises a pre-login input validation shortcut by continuously holding the CTRL key.

5. Unrestricted Access: The expected Windows Recovery Environment graphical user interface fails to initialise. Instead, the system spawns a highly privileged, SYSTEM-level command prompt, granting the attacker unrestricted read and write access to the fully decrypted C:\ drive.

‍

Recommended Mitigations

1. BitLocker and TPM Hardening: YellowKey invalidates TPM-only configurations; enforce TPM authentication with a user-supplied PIN. Additionally, implementing lid-removal detection and chassis-intrusion sensors can trigger a TPM wipe if physical tampering is detected.

2. Firmware and BIOS Lockdown: Set strict BIOS/UEFI administrative passwords and disable booting from external USB drives at the firmware level to raise the execution threshold for physical attacks.

3. Credential Hygiene and MFA: Given the use of compromised VPN credentials to deploy this actor's previous exploits, the enforcement of phishing-resistant MFA (such as FIDO2) across all remote access points is critical.

4. Endpoint Visibility: Supplement Microsoft Defender with a secondary EDR solution capable of detecting subversions of the Defender service itself. Monitor ctfmon.exe for the unexpected creation of memory-section objects within highly privileged SYSTEM directories.

5. Least Privilege and Attack Surface Reduction: Restricting the ability of standard users to create NTFS junctions or register Cloud Files sync roots can significantly hinder the success of the researcher's previous LPE exploits, RedSun and BlueHammer.

‍

Summary of the Nightmare-Eclipse Campaign