Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 1
Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12
How to Break MicrosoftRights Management Services
Workshop on Offensive Technology
Christian Mainka, Paul Rösler,Jörg Schwenk and Martin Grothe
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 2
Agenda
Motivation
MicrosoftRMS
DisARMS Attack#1(unprotect)
DisARMSAttack #2
(modifcation)
Conclusion
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 3
• Going to talk about Enterprise Rights Management (ERM)
• Consumer version: Digital Rights Management (DRM)– Music, movies, e-books
• ERM goal: protect (digital) company assets
• Useful for different scenarios
Motivation
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 4
Motivation
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 5
Agenda
Motivation
MicrosoftRMS
DisARMS Attack#1(unprotect)
DisARMSAttack #2
(modifcation)
Conclusion
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 6
Microsoft RMS - Intro
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 7
Microsoft RMS - High Level
• Set specific rights for a person and/or group via e-mailaddr.
• Use sym. and asym. cryptography– AES content encryption– PKI (RSA)– Licenses
• Use license (UL)• Publishing license (PL)
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 8
Microsoft RMSPKI
• RootCerthasseparatePrivK• SLChasseparatePrivK
• SPChasseparatePrivK
• SLCissignedwithRootPrivK
• RACPubK andencryptedRACPrivK aresignedbySLCPrivK
• SPCisself-signed
• CLCPubK andencryptedCLCPrivK aresignedbySLCPrivK
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 9
Microsoft RMSCreate File
• PLcontentencryptedwithSLCPubK
• PLsignedwithauthorCLCPrivK
• AuthorCLCsignedwithSLCPrivK
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 10
Microsoft RMSCreate File
Demonstration
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 11
Microsoft RMSConsume File
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 12
Microsoft RMSAttacks
• Responsible disclosed in april 2016• Case number MSRC 33210• We used:– C++– RMS SDK 2.1
• Attack requirements:– View access right– C++ Redistributable 2015– That is all J
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 13
Agenda
Motivation
MicrosoftRMS
DisARMS Attack#1(unprotect)
DisARMSAttack #2
(modifcation)
Conclusion
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 14
Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12
Microsoft RMSDisARMS #1
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 15
Microsoft RMSDisARMS #1
Demonstration
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 16
Agenda
Motivation
MicrosoftRMS
DisARMS Attack#1(unprotect)
DisARMSAttack #2
(modifcation)
Conclusion
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 17
Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12
DisARMS #2modification
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 18
DisARMS #2modification
Demonstration
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 19
Microsoft Response
From:[email protected]
“...Thetypeofattack youpresent fallsinthecategoryofpolicyenforcementlimitations.Policyenforcementcapabilities,suchastheabilitytoprevent printingormodifyingcon-tent towhichtheuserhaslegitimateaccess,arenotguaranteedbycryptography orotherhardtechnicalmeans...”
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 20
Agenda
Motivation
MicrosoftRMS
DisARMS Attack#1(unprotect)
DisARMSAttack #2
(modifcation)
Conclusion
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 21
Conclusion
• RMS is used by important companies and ministry
• AD RMS, Azure RMS, etc. are not secure• DisARMS #1 can not be prevented (look DRM)
– Just make it not that simple• DisARMS #2 can be prevented (see paper)
• Microsoft seems to has no interest in fixing the attacks
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 22
Questions?Email:[email protected]
Email:[email protected]:@CheariX
CodeonGithub:RUB-NDS/MS-RMS-Attacks
FurtherInfos:web-in-security.blogspot.de
Sponsored by GermanMinistry for Educationand Research
HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 23
Agenda
Motivation
MicrosoftRMS
DisARMS Attack#1(unprotect)
DisARMSAttack #2
(modifcation)
Conclusion