Download pdf - How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

Transcript
Page 1: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 1

Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12

How to Break MicrosoftRights Management Services

Workshop on Offensive Technology

Christian Mainka, Paul Rösler,Jörg Schwenk and Martin Grothe

Page 2: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 2

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

Page 3: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 3

• Going to talk about Enterprise Rights Management (ERM)

• Consumer version: Digital Rights Management (DRM)– Music, movies, e-books

• ERM goal: protect (digital) company assets

• Useful for different scenarios

Motivation

Page 4: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 4

Motivation

Page 5: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 5

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

Page 6: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 6

Microsoft RMS - Intro

Page 7: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 7

Microsoft RMS - High Level

• Set specific rights for a person and/or group via e-mailaddr.

• Use sym. and asym. cryptography– AES content encryption– PKI (RSA)– Licenses

• Use license (UL)• Publishing license (PL)

Page 8: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 8

Microsoft RMSPKI

• RootCerthasseparatePrivK• SLChasseparatePrivK

• SPChasseparatePrivK

• SLCissignedwithRootPrivK

• RACPubK andencryptedRACPrivK aresignedbySLCPrivK

• SPCisself-signed

• CLCPubK andencryptedCLCPrivK aresignedbySLCPrivK

Page 9: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 9

Microsoft RMSCreate File

• PLcontentencryptedwithSLCPubK

• PLsignedwithauthorCLCPrivK

• AuthorCLCsignedwithSLCPrivK

Page 10: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 10

Microsoft RMSCreate File

Demonstration

Page 11: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 11

Microsoft RMSConsume File

Page 12: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 12

Microsoft RMSAttacks

• Responsible disclosed in april 2016• Case number MSRC 33210• We used:– C++– RMS SDK 2.1

• Attack requirements:– View access right– C++ Redistributable 2015– That is all J

Page 13: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 13

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

Page 14: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 14

Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12

Microsoft RMSDisARMS #1

Page 15: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 15

Microsoft RMSDisARMS #1

Demonstration

Page 16: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 16

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

Page 17: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 17

Bildquelle: http://www.google.com/about/datacenters/gallery/#/tech/12

DisARMS #2modification

Page 18: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 18

DisARMS #2modification

Demonstration

Page 19: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 19

Microsoft Response

From:[email protected]

“...Thetypeofattack youpresent fallsinthecategoryofpolicyenforcementlimitations.Policyenforcementcapabilities,suchastheabilitytoprevent printingormodifyingcon-tent towhichtheuserhaslegitimateaccess,arenotguaranteedbycryptography orotherhardtechnicalmeans...”

Page 20: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 20

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion

Page 21: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 21

Conclusion

• RMS is used by important companies and ministry

• AD RMS, Azure RMS, etc. are not secure• DisARMS #1 can not be prevented (look DRM)

– Just make it not that simple• DisARMS #2 can be prevented (see paper)

• Microsoft seems to has no interest in fixing the attacks

Page 22: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 22

Questions?Email:[email protected]

Email:[email protected]:@CheariX

CodeonGithub:RUB-NDS/MS-RMS-Attacks

FurtherInfos:web-in-security.blogspot.de

Sponsored by GermanMinistry for Educationand Research

Page 23: How to Break Microsoft Rights Management ServicesHOWTOBREAK MICROSOFT RIGHTS MANAGEMENT SERVICES| WOOT | 08.08.2016 21 Conclusion • RMS is used by important companies and ministry

HOW TO BREAK MICROSOFT RIGHTS MANAGEMENT SERVICES | WOOT | 08.08.2016 23

Agenda

Motivation

MicrosoftRMS

DisARMS Attack#1(unprotect)

DisARMSAttack #2

(modifcation)

Conclusion


Recommended

Save your money with all your purchase on Woot using Woot coupons
Save your money with all your purchase on Woot using Woot coupons Devices & Hardware
KIERAN C WOOT WOOT 1
KIERAN C WOOT WOOT 1 Education
MAULANA AZAD NATIONAL URDU UNIVERSITYmanuu.ac.in/UGC Section/List of Resource Persons final 08.08.2016.pdf · MAULANA AZAD NATIONAL URDU UNIVERSITY ... Professor S. G. Kulkarni Department
MAULANA AZAD NATIONAL URDU UNIVERSITYmanuu.ac.in/UGC Section/List of Resource Persons final 08.08.2016.pdf · MAULANA AZAD NATIONAL URDU UNIVERSITY ... Professor S. G. Kulkarni Department Documents
Permission slip? Please get out objectives #21-23 for a stamp Please read the board! Woot!
Permission slip? Please get out objectives #21-23 for a stamp Please read the board! Woot! Documents
Lecture 12 Instructor: Craig Duckett ARRAYS. Announcements Assignment 3 Assignment 3 Revision Assignment 4 (and Final Exam) GRADED! RETURNED! Woot! NEXT
Lecture 12 Instructor: Craig Duckett ARRAYS. Announcements Assignment 3 Assignment 3 Revision Assignment 4 (and Final Exam) GRADED! RETURNED! Woot! NEXT Documents
Chapter 5: Cohesion Chapter 6: Sentence Rhythm Yay! Let’s learn grammar. Woot! Grammar is my most favorite thing
Chapter 5: Cohesion Chapter 6: Sentence Rhythm Yay! Let’s learn grammar. Woot! Grammar is my most favorite thing Documents
Under the Chairmanship of · G.O.Ms.No.151, Finance (HR-1) Plg & Policy Dept dt.08.08.2016 8. The State Council has approved the sanction of Knowledge and Incubation (177) centres
Under the Chairmanship of · G.O.Ms.No.151, Finance (HR-1) Plg & Policy Dept dt.08.08.2016 8. The State Council has approved the sanction of Knowledge and Incubation (177) centres Documents
KIERAN C WOOT WOOT 2
KIERAN C WOOT WOOT 2 Education
Mode Avail Fundi of ing ng Date of Likely date Ph.D(F ...acad.uohyd.ac.in/downloads/Consolidated-ALL-Ph.D.pdfDhirendra Kumar Sahoo 6.6E+10 Full Time 16SSPH03 08.08.2016 Society Studies
Mode Avail Fundi of ing ng Date of Likely date Ph.D(F ...acad.uohyd.ac.in/downloads/Consolidated-ALL-Ph.D.pdfDhirendra Kumar Sahoo 6.6E+10 Full Time 16SSPH03 08.08.2016 Society Studies Documents
ANNUAL CURRICULUM PLAN - Golaya · 2019-05-06 · CLASS XII SCIENCE (SESSION: 2016-17) 2 SCHOOL CURRICULUM GOALS ... 06.08.2016 Biology Practical 08.08.2016 Chemistry 10.08.2016 English
ANNUAL CURRICULUM PLAN - Golaya · 2019-05-06 · CLASS XII SCIENCE (SESSION: 2016-17) 2 SCHOOL CURRICULUM GOALS ... 06.08.2016 Biology Practical 08.08.2016 Chemistry 10.08.2016 English Documents
Leveraging Flawed PHP Tutorials for Seeding Large-Scale ... · USENIX WOOT’17 | Leveraging Flawed PHP Tutorials for Seeding Large-Scale Web Vulnerability Discovery Template generation
Leveraging Flawed PHP Tutorials for Seeding Large-Scale ... · USENIX WOOT’17 | Leveraging Flawed PHP Tutorials for Seeding Large-Scale Web Vulnerability Discovery Template generation Documents
Woot! Please read the board carefully. Get ready for your quiz today – Objectives #3-6 (History and watersheds) Retakes for Objectives #1-2 also
Woot! Please read the board carefully. Get ready for your quiz today – Objectives #3-6 (History and watersheds) Retakes for Objectives #1-2 also Documents
action. - Ministry of Road Transport and Highways · CCEA/2212016(i) dated 08.08.2016) to authorize National HighwaysAuthority of India (NHAI) to monetize public funded National Highway
action. - Ministry of Road Transport and Highways · CCEA/2212016(i) dated 08.08.2016) to authorize National HighwaysAuthority of India (NHAI) to monetize public funded National Highway Documents
SET SUBSET/INSERT # PLAYER - BlowoutBuzz.com€¦ · 08.08.2016  · 2013 Panini Timeless Treasures (13-14) Basketball Treasured Ink 3 Kyrie Irving 2013 Panini Timeless Treasures
SET SUBSET/INSERT # PLAYER - BlowoutBuzz.com€¦ · 08.08.2016  · 2013 Panini Timeless Treasures (13-14) Basketball Treasured Ink 3 Kyrie Irving 2013 Panini Timeless Treasures Documents
Physiologically Structured Population Model of ... · Physiologically Structured Population Model of Intracellular Hepatitis C Virus Dynamics . Wojciech Krzyzanski . Xavier Woot de
Physiologically Structured Population Model of ... · Physiologically Structured Population Model of Intracellular Hepatitis C Virus Dynamics . Wojciech Krzyzanski . Xavier Woot de Documents
Mijade - Amazon Web Servicesfrontlist-reports.s3.amazonaws.com/uploads/catalogue/file/frontlist-foreign...My Little Rabbit Emma de Woot Like every night, Daddy tells a bedtime story
Mijade - Amazon Web Servicesfrontlist-reports.s3.amazonaws.com/uploads/catalogue/file/frontlist-foreign...My Little Rabbit Emma de Woot Like every night, Daddy tells a bedtime story Documents
Nasopharynx dr.s.s.bakshi, 08.08.2016
Nasopharynx dr.s.s.bakshi, 08.08.2016 Healthcare
Model 24926 - Woot
Model 24926 - Woot Documents