How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES|...

Preview:

Click to see full reader

Citation preview

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 1

Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12

How to Break MicrosoftRights Management Services

Workshop on Offensive Technology

Christian Mainka, Paul Rösler,Jörg Schwenk and Martin Grothe

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 2

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 3

• Going to talk about Enterprise Rights Management (ERM)

• Consumer version: Digital Rights Management (DRM)– Music, movies, e-books

• ERM goal: protect (digital) company assets

• Useful for different scenarios

Motivation

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 4

Motivation

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 5

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 6

Microsoft RMS - Intro

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 7

Microsoft RMS - High Level

• Set specific rights for a person and/or group via e-mailaddr.

• Use sym. and asym. cryptography– AES content encryption– PKI (RSA)– Licenses

• Use license (UL)• Publishing license (PL)

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 8

Microsoft RMSPKI

• RootCerthasseparatePrivK• SLChasseparatePrivK

• SPChasseparatePrivK

• SLCissignedwithRootPrivK

• RACPubK andencryptedRACPrivK aresignedbySLCPrivK

• SPCisself-signed

• CLCPubK andencryptedCLCPrivK aresignedbySLCPrivK

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 9

Microsoft RMSCreate File

• PLcontentencryptedwithSLCPubK

• PLsignedwithauthorCLCPrivK

• AuthorCLCsignedwithSLCPrivK

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 10

Microsoft RMSCreate File

Demonstration

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 11

Microsoft RMSConsume File

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 12

Microsoft RMSAttacks

• Responsible disclosed in april 2016• Case number MSRC 33210• We used:– C++– RMS SDK 2.1

• Attack requirements:– View access right– C++ Redistributable 2015– That is all J

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 13

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 14

Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12

Microsoft RMSDisARMS #1

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 15

Microsoft RMSDisARMS #1

Demonstration

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 16

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 17

Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12

DisARMS #2modification

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 18

DisARMS #2modification

Demonstration

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 19

Microsoft Response

From:MicrosoftSecurityResponseCentersecure@microsoft.com

“...Thetypeofattack youpresent fallsinthecategoryofpolicyenforcementlimitations.Policyenforcementcapabilities,suchastheabilitytoprevent printingormodifyingcon-tent towhichtheuserhaslegitimateaccess,arenotguaranteedbycryptography orotherhardtechnicalmeans...”

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 20

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 21

Conclusion

• RMS is used by important companies and ministry

• AD RMS, Azure RMS, etc. are not secure• DisARMS #1 can not be prevented (look DRM)

– Just make it not that simple• DisARMS #2 can be prevented (see paper)

• Microsoft seems to has no interest in fixing the attacks

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 22

Questions?Email:martin.grothe@rub.de

Email:christian.mainka@rub.deTwitter:@CheariX

CodeonGithub:RUB-NDS/MS-RMS-Attacks

FurtherInfos:web-in-security.blogspot.de

Sponsored by GermanMinistry for Educationand Research

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 23

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

Recommended

Drinking our own Champagne: How Woot, an Amazon subsidiary, uses AWS (ARC212) | AWS re:Invent 2013
Technology
08.08.2016 communicating change - CIVITAS · MAG Planning Company / Amsterdam Cycle Chic / Copenhagenize Design Co. ! """ "! @dutch_ish ! @amsterdamcyclechic ! " " " " Photo: Jonathan
Documents
Woot! Please read the board carefully. Get ready for your quiz today – Objectives #3-6 (History and watersheds) Retakes for Objectives #1-2 also
Documents
Automatic Generation of Compact Printable Shellcodes For x86 - … · WOOT ’20 Dhrumil Patel Aditya Basu Anish Mathuria August 11, 2020. Outline Introduction Currently used Algorithms
Documents
MAULANA AZAD NATIONAL URDU UNIVERSITYmanuu.ac.in/UGC Section/List of Resource Persons final 08.08.2016.pdf · MAULANA AZAD NATIONAL URDU UNIVERSITY ... Professor S. G. Kulkarni Department
Documents
download1.fbr.gov.pkdownload1.fbr.gov.pk/Docs/2018628106538457FBRVsSajjad...13.06.2016 18.03.2016 08.08.2016 13.062016 730 427 2086 27 2 640 460 1 616 4 48 Statedly, the Deptt illegally
Documents
Model 24926 - Woot
Documents
JAIN SOCIETY OF METROPOLITAN WASHINGTONjsmw.org/wp-content/uploads/2016/08/Aug2016_web.pdf · 08.08.2016  · jain society of metropolitan washington a non-profit tax-exempt religious
Documents
A540 - A540 A - A550 A · Gigaset A540-A540A-A550A / en / A31008-M2601-L101-3-7619 / Cover_front.fm / 08.08.2016 Congratulations By purchasing a Gigaset, you have chosen a brand that
Documents
Save your money with all your purchase on Woot using Woot coupons
Devices & Hardware
Mijade - Amazon Web Servicesfrontlist-reports.s3.amazonaws.com/uploads/catalogue/file/frontlist-foreign...My Little Rabbit Emma de Woot Like every night, Daddy tells a bedtime story
Documents
Mode Avail Fundi of ing ng Date of Likely date Ph.D(F ...acad.uohyd.ac.in/downloads/Consolidated-ALL-Ph.D.pdfDhirendra Kumar Sahoo 6.6E+10 Full Time 16SSPH03 08.08.2016 Society Studies
Documents
Physiologically Structured Population Model of ... · Physiologically Structured Population Model of Intracellular Hepatitis C Virus Dynamics . Wojciech Krzyzanski . Xavier Woot de
Documents
Truncating TLS Connections to Violate Beliefs in Web ......Truncating TLS Connections to Violate Beliefs in Web Applications Ben Smyth & Alfredo Pironti WOOT 13 Aug 2013
Documents
2010 09 ss woot- interntational smm
Documents
Inbound Marketing Keynote at Woot Con - Mike Volpe, HubSpot
Business
Leveraging Flawed PHP Tutorials for Seeding Large-Scale ... · USENIX WOOT’17 | Leveraging Flawed PHP Tutorials for Seeding Large-Scale Web Vulnerability Discovery Template generation
Documents
Social Brand Management Panel at Search and Social Woot 2010
Documents
FACULTY OF CIVIL ENGINEERING - Anna Universitycac.annauniv.edu/PhpProject1/udspecialelective/1. CIVIL 08.08.2016.pdf · Corrosion Principles : Introduction – Corrosion Rate Expressions
Documents
WOOT! (mostly eastern). Shinobi!!!! A.K.A. NINJAS!!!! AAHHH!!!!! Actually ninja’s weren’t originally people that wear dark clothes and go around killing
Documents