rub-nds / ms-rms-attacks Goto Github PK

View Code? Open in Web Editor NEW

51.0 16.0 22.0 190.11 MB

Breaking the security of Microsoft's RMS

C++ 95.66% Assembly 3.76% C 0.58%

ms-rms-attacks's Introduction

MS-RMS-Attacks

For an overview see: https://web-in-security.blogspot.de/2016/07/how-to-break-microsoft-rights.html

We present two different attacks on Microsoft RMS:

Removing the RMS protection from a protected Word document resulting in a totally unprotected document. (decrypter)
Content modification of a RMS protectedWord document. (modification-attack)

Both attacks require only the view-only access right on the RMS protected file. This is the minimal right, which can be assigned to a group or user in Microsoft RMS environment.

Attack 1: Removing the RMS protection

For the first attack, we split the protected document (OLE compound file) into its components (RMS License and EncryptedPackage). This can be achieved, for example, by using 7zip. We created an attack tool that can be executed by every user of the domain. The tool removes the protection automatically, without any further interaction and creates a copy of the processed RMS protected file, which contains the same content, formatting, etc, but without the RMS protection.

The steps execute by the tool are as following:

The tool reads in the publishing license and client licensor certificate.
It uses the certificates from the previous step to request the content key (from the use license) from the RMS server or the client licensor cache.
It reads the encrypted content bytes and
uses the RMS API function IpcDecrypt to decrypt the content bytes with the previously acquired content key.
The decrypted content bytes are written into a new unprotected file, which can later be opened, for example, by using Microsoft Word.

We extended the first attack to an even more severe one: the second attack makes use of the first attack and goes one step further. After removing the protection (cf. attack 1), we modify the unprotected content of the file. We then reprotect the file, so that it looks as it would have been created by the original author of the protected file, but contains the content that we have just modified.

Attack 2: Content modification with view-only access right

This attack has the same requirements as the first attack. Suppose we have removed the protection of one file. We then modify the content of the file and proceed as follows:

We use the original protected file and extract the contained RMS License file.
Our tool then reads the manipulated and unprotected file that we want to embed in the protected file.
The tool reads in the publishing license and client licensor certificate from the files extracted in Step 1.
By using these certificates, our too requests the content key from the RMS server or the client cache.
The tool pads the read bytes from the unprotected file to fit the 16 byte block size of the encryption algorithm.
It then uses the RMS API function IpcEncrypt to encrypt the content bytes with the previous acquired content key.
The encrypted content bytes are written into a new file.
We finally replace the previously encrypted content with those contained in the original protected RMS file.

The tampered protected document can not be distinguished from the original protected document. It will look as it would have been created by the original author and only show the correct view access right for the attacker. This basically neglects the idea of the view-only RMS protection.

Demo

See the examples dir

ms-rms-attacks's People

Contributors

Stargazers

Watchers

Forkers

gitcollect wikijm wflk talk2noob sangrail houcy wenry55 avineshwar emtee40 ksagala mmg1 sbidy coderant phongdaohp agileehsan ameg-yag onixino

ms-rms-attacks's Issues

Seems not working on office365/Azure Information Protection?

Last year I received a protected document from my friend, and I tried to use the program to test it. It unprotected the file perfect. At that time my friend deployed Active directory Right Management on Server and protected that file. I'm not in the active Directory and I have the password to view and edit the document.
Today I received a document protected by office365/Azure Information Protection, and I tried to unprotected the file ( I'm not in the active Directory and I have the password to view and edit the document). It asked me to install Microsoft Online Services Sign-In Assistant for IT Professionals RTW from http://aka.ms/sia, and I installed it and ran the program again. Then I encountered the error as the closed issue:

The application must provide a key handle to access the requested information. Contact your application support for further investigation.
The parameter is incorrect.

It there a way to fix it ? Thanks.

Exception while running unprotected exe

Hello,
I get this error while running the unprotect.exe

MS-RMS-Attacks-master\examples\unprotected>unprotect.exe
Microsoft Online Services Sign-in Assistant is not installed on this machine. Install it from http://aka.ms/sia before retrying the operation.
The application did not provide a key handle when calling the Rights Management service. Please contact the application support for further assistance.
The parameter is incorrect.

Unhandled Exception: OutOfMemoryException.

the machine specification is windows 10 64 bit
I have an office 365 subscription.

Thank You in advance

For this to be an attack it has to do something that is against the intended design of the product it's attacking

As per its official documentation (https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/azure-information-protection-securing-data), AIP doesn't claim to block authorized users from abusing content. It provides capabilities to prevent unauthorized users from gaining access to the content, and also capabilities to help prevent users accidentally or negligently misusing the content. But AIP doesn't attempt to prevent malicious users to which you grant rights to the content from misusing it.
That makes sense since it is not possible to give someone access to content they can't abuse. If someone has access to some content, there is always a way to copy the content, worst case the user can just take a picture of the screen with their camera phone, or retype it in another location. Making it easier to copy the content you would be able to copy anyway is not a security exploit.
And to be clear, this is not a limitation with one particular product. Any information protection software has this same limitation, anyone that claims otherwise should be sent to review the basic principles of computer security. If a user can see some data in their computer, no technology can prevent them from copying it.
In other words, AIP aims at keeping honest users honest, and keeping the bad guys out. If someone is looking for software that keeps the bad guys honest, they won't find it.
About the second "attack", AIP doesn't currently promise to be anti-tampering or non-repudiation solution. There's plenty of software for that (e.g. the document signing features in Office, s/MIME signing in Outlook, etc.) but AIP makes as many claims about preventing document tampering as it makes about helping you balance your checkbook. So this "attack" doesn't break any promises the product makes.

While these are cool demonstrations of the limitations of policy enforcement in the Information Protection world, these limitations are consistent with the product's claimed capabilities and its documentation, so I would be hesitant to call them "attacks" or "exploits".

Unprotect attack does not work

When running the unprotect attack I am getting the following error (in German):

Der Threadmodus kann nicht nach dem Einstellen geändert werden.
Die Anwendung hat beim Aufrufen des Rights Management-Diensts kein Schlüsselhandle bereitgestellt. Wenden Sie sich an den technischen Support für die Anwendung, um weitere Unterstützung zu erhalten.
Falscher Parameter.

Translated to English:

Cannot change thread mode after it is set.
The application must provide a key handle to access the requested information. Contact your application support for further investigation.
The parameter is incorrect.

Will you give us a hint to make it work with .doc and .ppt/.pptx please ?

Hii,
amazingly its still working till now on .docx documents, i wanted to ask you if you will give us a hint to make the software work with .doc and .ppt/,pptx documents.

highly appreciated.
Best Regards,
Montes

pptx version?

It is not working on pptx files. Is there a solution for pptx files?

It works with docx, but not work with doc (2003) word documents

My findings :
The .doc structure is different than .docx, and that’s the reason.
In docx file structure, there is file called EncryptedDocument which is not existing in case of .doc file whereas in .doc file structure there is file called WordDocument

Inside decrypter.cpp
I changed the followings :

line 189 : dateiname = "decrypted.docx" to dateiname = "decrypted.doc"
replace "EncryptedDocument" with "WordDocument"
replace the path to "[6]Primary" file as the follwoing : "[6]DataSpaces\TransformInfo[9]DRMTransform" instead of the old value (the path inside .docx file)

and rebuild a new exe

I got the output file which is not working.
Any help please