• Home

  • Documents

  • How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES|...
23
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12 How to Break Microsoft Rights Management Services Workshop on Offensive Technology Christian Mainka, Paul Rösler, Jörg Schwenk and Martin Grothe

How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 1

Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12

How to Break MicrosoftRights Management Services

Workshop on Offensive Technology

Christian Mainka, Paul Rösler,Jörg Schwenk and Martin Grothe

Page 2: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 2

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

Page 3: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 3

• Going to talk about Enterprise Rights Management (ERM)

• Consumer version: Digital Rights Management (DRM)– Music, movies, e-books

• ERM goal: protect (digital) company assets

• Useful for different scenarios

Motivation

Page 4: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 4

Motivation

Page 5: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 5

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

Page 6: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 6

Microsoft RMS - Intro

Page 7: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 7

Microsoft RMS - High Level

• Set specific rights for a person and/or group via e-mailaddr.

• Use sym. and asym. cryptography– AES content encryption– PKI (RSA)– Licenses

• Use license (UL)• Publishing license (PL)

Page 8: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 8

Microsoft RMSPKI

• RootCerthasseparatePrivK• SLChasseparatePrivK

• SPChasseparatePrivK

• SLCissignedwithRootPrivK

• RACPubK andencryptedRACPrivK aresignedbySLCPrivK

• SPCisself-signed

• CLCPubK andencryptedCLCPrivK aresignedbySLCPrivK

Page 9: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 9

Microsoft RMSCreate File

• PLcontentencryptedwithSLCPubK

• PLsignedwithauthorCLCPrivK

• AuthorCLCsignedwithSLCPrivK

Page 10: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 10

Microsoft RMSCreate File

Demonstration

Page 11: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 11

Microsoft RMSConsume File

Page 12: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 12

Microsoft RMSAttacks

• Responsible disclosed in april 2016• Case number MSRC 33210• We used:– C++– RMS SDK 2.1

• Attack requirements:– View access right– C++ Redistributable 2015– That is all J

Page 13: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 13

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

Page 14: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 14

Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12

Microsoft RMSDisARMS #1

Page 15: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 15

Microsoft RMSDisARMS #1

Demonstration

Page 16: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 16

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

Page 17: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 17

Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12

DisARMS #2modification

Page 18: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 18

DisARMS #2modification

Demonstration

Page 19: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 19

Microsoft Response

From:[email protected]

“...Thetypeofattack youpresent fallsinthecategoryofpolicyenforcementlimitations.Policyenforcementcapabilities,suchastheabilitytoprevent printingormodifyingcon-tent towhichtheuserhaslegitimateaccess,arenotguaranteedbycryptography orotherhardtechnicalmeans...”

Page 20: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 20

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

Page 21: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 21

Conclusion

• RMS is used by important companies and ministry

• AD RMS, Azure RMS, etc. are not secure• DisARMS #1 can not be prevented (look DRM)

– Just make it not that simple• DisARMS #2 can be prevented (see paper)

• Microsoft seems to has no interest in fixing the attacks

Page 22: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 22

Questions?Email:[email protected]

Email:[email protected]:@CheariX

CodeonGithub:RUB-NDS/MS-RMS-Attacks

FurtherInfos:web-in-security.blogspot.de

Sponsored by GermanMinistry for Educationand Research

Page 23: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 23

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion


Model 24926 - Woot

Model 24926 - Woot

Documents
Permission slip? Please get out objectives #21-23 for a stamp Please read the board! Woot!

Permission slip? Please get out objectives #21-23 for a stamp Please read the board! Woot!

Documents
KIERAN C WOOT WOOT 2

KIERAN C WOOT WOOT 2

Education
A540 - A540 A - A550 A · Gigaset A540-A540A-A550A / en / A31008-M2601-L101-3-7619 / Cover_front.fm / 08.08.2016 Congratulations By purchasing a Gigaset, you have chosen a brand that

A540 - A540 A - A550 A · Gigaset A540-A540A-A550A / en / A31008-M2601-L101-3-7619 / Cover_front.fm / 08.08.2016 Congratulations By purchasing a Gigaset, you have chosen a brand that

Documents
action. - Ministry of Road Transport and Highways · CCEA/2212016(i) dated 08.08.2016) to authorize National HighwaysAuthority of India (NHAI) to monetize public funded National Highway

action. - Ministry of Road Transport and Highways · CCEA/2212016(i) dated 08.08.2016) to authorize National HighwaysAuthority of India (NHAI) to monetize public funded National Highway

Documents
WOOT! SUCCESS!

WOOT! SUCCESS!

Documents
jalshakti-ddws.gov.in · 53.76% (as on 08.08.2016). Further, 17 districts, 232 blocks and 72,727 villages have declared themselves ODE To evaluate the implementation and progress

jalshakti-ddws.gov.in · 53.76% (as on 08.08.2016). Further, 17 districts, 232 blocks and 72,727 villages have declared themselves ODE To evaluate the implementation and progress

Documents
Physiologically Structured Population Model of ... · Physiologically Structured Population Model of Intracellular Hepatitis C Virus Dynamics . Wojciech Krzyzanski . Xavier Woot de

Physiologically Structured Population Model of ... · Physiologically Structured Population Model of Intracellular Hepatitis C Virus Dynamics . Wojciech Krzyzanski . Xavier Woot de

Documents
Mijade - Amazon Web Servicesfrontlist-reports.s3.amazonaws.com/uploads/catalogue/file/frontlist-foreign...My Little Rabbit Emma de Woot Like every night, Daddy tells a bedtime story

Mijade - Amazon Web Servicesfrontlist-reports.s3.amazonaws.com/uploads/catalogue/file/frontlist-foreign...My Little Rabbit Emma de Woot Like every night, Daddy tells a bedtime story

Documents
Woot Wooot

Woot Wooot

Documents
DieHarder (CCS 2010, WOOT 2011)

DieHarder (CCS 2010, WOOT 2011)

Education
JAIN SOCIETY OF METROPOLITAN WASHINGTONjsmw.org/wp-content/uploads/2016/08/Aug2016_web.pdf · 08.08.2016  · jain society of metropolitan washington a non-profit tax-exempt religious

JAIN SOCIETY OF METROPOLITAN WASHINGTONjsmw.org/wp-content/uploads/2016/08/Aug2016_web.pdf · 08.08.2016  · jain society of metropolitan washington a non-profit tax-exempt religious

Documents
Lista autorizațiilor taxi din Municipiul Slatina la data de 08.08.2016

Lista autorizațiilor taxi din Municipiul Slatina la data de 08.08.2016

Documents
DHIRAJLAL GANDHI COLLEGE OF TECHNOLOGY · students on 08.08.2016, “Selenium Software testing tool”. 6. Workshops by Corporate Trainers The Department of Computer Science & Engineering

DHIRAJLAL GANDHI COLLEGE OF TECHNOLOGY · students on 08.08.2016, “Selenium Software testing tool”. 6. Workshops by Corporate Trainers The Department of Computer Science & Engineering

Documents
THACK SF 2013 Concept Winner: Weekend Woot

THACK SF 2013 Concept Winner: Weekend Woot

Travel
ANNUAL CURRICULUM PLAN - Golaya · 2019-05-06 · CLASS XII SCIENCE (SESSION: 2016-17) 2 SCHOOL CURRICULUM GOALS ... 06.08.2016 Biology Practical 08.08.2016 Chemistry 10.08.2016 English

ANNUAL CURRICULUM PLAN - Golaya · 2019-05-06 · CLASS XII SCIENCE (SESSION: 2016-17) 2 SCHOOL CURRICULUM GOALS ... 06.08.2016 Biology Practical 08.08.2016 Chemistry 10.08.2016 English

Documents
Chapter 5: Cohesion Chapter 6: Sentence Rhythm Yay! Let’s learn grammar. Woot! Grammar is my most favorite thing

Chapter 5: Cohesion Chapter 6: Sentence Rhythm Yay! Let’s learn grammar. Woot! Grammar is my most favorite thing

Documents
Social Brand Management Panel at Search and Social Woot 2010

Social Brand Management Panel at Search and Social Woot 2010

Documents
Lecture 12 Instructor: Craig Duckett ARRAYS. Announcements Assignment 3 Assignment 3 Revision Assignment 4 (and Final Exam) GRADED! RETURNED! Woot! NEXT

Lecture 12 Instructor: Craig Duckett ARRAYS. Announcements Assignment 3 Assignment 3 Revision Assignment 4 (and Final Exam) GRADED! RETURNED! Woot! NEXT

Documents
Inbound Marketing Keynote at Woot Con - Mike Volpe, HubSpot

Inbound Marketing Keynote at Woot Con - Mike Volpe, HubSpot

Business
SET SUBSET/INSERT # PLAYER - BlowoutBuzz.com€¦ · 08.08.2016  · 2013 Panini Timeless Treasures (13-14) Basketball Treasured Ink 3 Kyrie Irving 2013 Panini Timeless Treasures

SET SUBSET/INSERT # PLAYER - BlowoutBuzz.com€¦ · 08.08.2016  · 2013 Panini Timeless Treasures (13-14) Basketball Treasured Ink 3 Kyrie Irving 2013 Panini Timeless Treasures

Documents
ceouttarpradesh.nic.inceouttarpradesh.nic.in/Instructions/AppointmentOfBLO.pdf · judgement on 08.08.2016 (a copy of the judgernent is enclosed). The Election Commission of India,

ceouttarpradesh.nic.inceouttarpradesh.nic.in/Instructions/AppointmentOfBLO.pdf · judgement on 08.08.2016 (a copy of the judgernent is enclosed). The Election Commission of India,

Documents
Truncating TLS Connections to Violate Beliefs in Web ......Truncating TLS Connections to Violate Beliefs in Web Applications Ben Smyth & Alfredo Pironti WOOT 13 Aug 2013

Truncating TLS Connections to Violate Beliefs in Web ......Truncating TLS Connections to Violate Beliefs in Web Applications Ben Smyth & Alfredo Pironti WOOT 13 Aug 2013

Documents
Nasopharynx dr.s.s.bakshi, 08.08.2016

Nasopharynx dr.s.s.bakshi, 08.08.2016

Healthcare
Cultural variation of leadership prototypes across 22 ... · PDF fileCultural variation of leadership prototypes ... Consideration of the issues raised by Calori and de Woot invites

Cultural variation of leadership prototypes across 22 ... · PDF fileCultural variation of leadership prototypes ... Consideration of the issues raised by Calori and de Woot invites

Documents
Woot! Please read the board carefully. Get ready for your quiz today – Objectives #3-6 (History and watersheds) Retakes for Objectives #1-2 also

Woot! Please read the board carefully. Get ready for your quiz today – Objectives #3-6 (History and watersheds) Retakes for Objectives #1-2 also

Documents
Mode Avail Fundi of ing ng Date of Likely date Ph.D(F ...acad.uohyd.ac.in/downloads/Consolidated-ALL-Ph.D.pdfDhirendra Kumar Sahoo 6.6E+10 Full Time 16SSPH03 08.08.2016 Society Studies

Mode Avail Fundi of ing ng Date of Likely date Ph.D(F ...acad.uohyd.ac.in/downloads/Consolidated-ALL-Ph.D.pdfDhirendra Kumar Sahoo 6.6E+10 Full Time 16SSPH03 08.08.2016 Society Studies

Documents
Woot text sms marketing application

Woot text sms marketing application

Technology
MAULANA AZAD NATIONAL URDU UNIVERSITYmanuu.ac.in/UGC Section/List of Resource Persons final 08.08.2016.pdf · MAULANA AZAD NATIONAL URDU UNIVERSITY ... Professor S. G. Kulkarni Department

MAULANA AZAD NATIONAL URDU UNIVERSITYmanuu.ac.in/UGC Section/List of Resource Persons final 08.08.2016.pdf · MAULANA AZAD NATIONAL URDU UNIVERSITY ... Professor S. G. Kulkarni Department

Documents
download1.fbr.gov.pkdownload1.fbr.gov.pk/Docs/2018628106538457FBRVsSajjad...13.06.2016 18.03.2016 08.08.2016 13.062016 730 427 2086 27 2 640 460 1 616 4 48 Statedly, the Deptt illegally

download1.fbr.gov.pkdownload1.fbr.gov.pk/Docs/2018628106538457FBRVsSajjad...13.06.2016 18.03.2016 08.08.2016 13.062016 730 427 2086 27 2 640 460 1 616 4 48 Statedly, the Deptt illegally

Documents