RoguePlanet, a quick history

 -----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

In initial development, it was confirmed that this vulnerability was a remote code execution. It required an attacker to coerce a victim to open a .vhd(x) in a remote SMB server, succesful exploitation resulted in defender overwriting its own files and obviously the end outcome was an RCE.

In other scenario, where a victim has symlink evaluation R2L enabled, it was wraps up, RCE was possible by just coercing the victim to open the SMB share, nothing else.

Another scenario was bitlocker bypass, it required specialized device that would push different data to NTFS.sys when defender attempted to read the dirty file, it was possible to redirect the newly remediated file to an arbitrary location and the end result was the same, a full bitlocker bypass.

All of the cases above were verified using a debugger.

Now after mid May, a patch was pushed to Defender in mpengine!SysIO* api that made any junction attacks useless. Rewriting RoguePlanet to make it functional again drained my soul and I couldn't complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE.

I think the bitlocker bypass might be doable even with the changes but I'm really not sure.

I'm also pretty sure Microsoft will ban the new github account, a special thanks to a great developer who made it possible for us to have our own hosting solution, circumventing Microsoft ridiculous attempts to wipe me out of the internet.

https://git.projectnightcrawler.dev/NightmareEclipse

We are working with the community to provide additional code hosting solutions.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCaiiA5AAKCRDFFoRCS0/S

bPS2AQDeuHXCxcn0V2K5Gz9mXQHZPfZv7EYQBXGI0g31OTrXFAD/eg7rOZuJS5HB

uOUnCsQdVpxnqN1hZKgQcZRMAGCUoAE=

=Zlcc

-----END PGP SIGNATURE-----