Permalink
Browse files

Changed Build type for decrypter and modification attack to use Multi…

…thread DLL without Debug Libs
  • Loading branch information...
Kaedo committed Nov 30, 2016
1 parent 5410f9e commit e5b9e44faf2c6ee84192ec44af54511fd557ffd6
Showing with 203 additions and 219 deletions.
  1. +52 −52 README.md
  2. BIN decrypter/.vs/decrypter/v14/.suo
  3. BIN decrypter/decrypter.VC.opendb
  4. BIN decrypter/decrypter.sdf
  5. +1 −1 decrypter/decrypter.sln
  6. +0 −1 decrypter/decrypter/MsoDataStore/Ü×TYUÚÆB0UÎËCÊCCY1GÖßA==/Item
  7. +0 −2 decrypter/decrypter/MsoDataStore/Ü×TYUÚÆB0UÎËCÊCCY1GÖßA==/Properties
  8. +1 −1 decrypter/decrypter/Release/.NETFramework,Version=v4.5.2.AssemblyAttributes.asm
  9. BIN decrypter/decrypter/Release/.NETFramework,Version=v4.5.2.AssemblyAttributes.obj
  10. BIN decrypter/decrypter/Release/AssemblyInfo.obj
  11. +0 −31 decrypter/decrypter/Release/decrypter.Build.CppClean.log
  12. +9 −1 decrypter/decrypter/Release/decrypter.log
  13. BIN decrypter/decrypter/Release/decrypter.obj
  14. BIN decrypter/decrypter/Release/decrypter.pch
  15. BIN decrypter/decrypter/Release/decrypter.tlog/CL.command.1.tlog
  16. BIN decrypter/decrypter/Release/decrypter.tlog/CL.read.1.tlog
  17. BIN decrypter/decrypter/Release/decrypter.tlog/CL.write.1.tlog
  18. +1 −1 decrypter/decrypter/Release/decrypter.tlog/decrypter.lastbuildstate
  19. BIN decrypter/decrypter/Release/decrypter.tlog/link.command.1.tlog
  20. BIN decrypter/decrypter/Release/decrypter.tlog/link.read.1.tlog
  21. BIN decrypter/decrypter/Release/decrypter.tlog/link.write.1.tlog
  22. BIN decrypter/decrypter/Release/decrypter.tlog/rc.command.1.tlog
  23. BIN decrypter/decrypter/Release/decrypter.tlog/rc.read.1.tlog
  24. BIN decrypter/decrypter/Release/decrypter.tlog/rc.write.1.tlog
  25. 0 decrypter/decrypter/Release/decrypter.tlog/unsuccessfulbuild
  26. BIN decrypter/decrypter/Release/vc140.pdb
  27. +2 −1 decrypter/decrypter/decrypter.vcxproj
  28. +82 −82 examples/README.md
  29. BIN modfication-attack/.vs/manipulation-attack/v14/.suo
  30. BIN modfication-attack/Debug/manipulation-attack.exe
  31. +1 −1 modfication-attack/decrypter/Debug/.NETFramework,Version=v4.5.2.AssemblyAttributes.asm
  32. BIN modfication-attack/decrypter/Debug/.NETFramework,Version=v4.5.2.AssemblyAttributes.obj
  33. BIN modfication-attack/decrypter/Debug/AssemblyInfo.obj
  34. +2 −9 modfication-attack/decrypter/Debug/decrypter.log
  35. BIN modfication-attack/decrypter/Debug/decrypter.vcxprojResolveAssemblyReference.cache
  36. BIN modfication-attack/decrypter/Debug/manipula.B076FF48.tlog/CL.command.1.tlog
  37. BIN modfication-attack/decrypter/Debug/manipula.B076FF48.tlog/CL.read.1.tlog
  38. BIN modfication-attack/decrypter/Debug/manipula.B076FF48.tlog/CL.write.1.tlog
  39. BIN modfication-attack/decrypter/Debug/manipula.B076FF48.tlog/link.command.1.tlog
  40. BIN modfication-attack/decrypter/Debug/manipula.B076FF48.tlog/link.read.1.tlog
  41. BIN modfication-attack/decrypter/Debug/manipula.B076FF48.tlog/link.write.1.tlog
  42. +1 −1 modfication-attack/decrypter/Debug/manipula.B076FF48.tlog/manipulation-attack.lastbuildstate
  43. BIN modfication-attack/decrypter/Debug/manipula.B076FF48.tlog/rc.command.1.tlog
  44. BIN modfication-attack/decrypter/Debug/manipula.B076FF48.tlog/rc.read.1.tlog
  45. BIN modfication-attack/decrypter/Debug/manipula.B076FF48.tlog/rc.write.1.tlog
  46. +33 −23 modfication-attack/decrypter/Debug/manipulation-attack.Build.CppClean.log
  47. BIN modfication-attack/decrypter/Debug/manipulation-attack.obj
  48. BIN modfication-attack/decrypter/Debug/manipulation-attack.pch
  49. BIN modfication-attack/decrypter/Debug/stdafx.obj
  50. BIN modfication-attack/decrypter/Debug/vc140.pdb
  51. +2 −2 modfication-attack/decrypter/Release/.NETFramework,Version=v4.5.2.AssemblyAttributes.asm
  52. BIN modfication-attack/decrypter/Release/.NETFramework,Version=v4.5.2.AssemblyAttributes.obj
  53. BIN modfication-attack/decrypter/Release/AssemblyInfo.obj
  54. +11 −6 modfication-attack/decrypter/Release/decrypter.log
  55. BIN modfication-attack/decrypter/Release/stdafx.obj
  56. BIN modfication-attack/decrypter/Release/vc140.pdb
  57. +1 −0 modfication-attack/decrypter/decrypter.vcxproj
  58. BIN modfication-attack/manipulation-attack.sdf
  59. +4 −4 modfication-attack/manipulation-attack.sln
View
104 README.md
@@ -1,52 +1,52 @@
# MS-RMS-Attacks
For an overview see:
https://web-in-security.blogspot.de/2016/07/how-to-break-microsoft-rights.html
We present two different attacks on Microsoft RMS:
1. Removing the RMS protection from a protected Word document resulting in a totally unprotected document. (decrypter)
2. Content modification of a RMS protectedWord document. (modification-attack)
Both attacks require only the *view-only* access right on the RMS protected file.
This is the minimal right, which can be assigned to a group or user in Microsoft RMS environment.
## Attack 1: Removing the RMS protection
For the first attack, we split the protected document (OLE compound file) into its components (RMS License and EncryptedPackage). This can be achieved, for example, by using 7zip.
We created an attack tool that can be executed by every user of the domain.
The tool removes the protection automatically, without any further interaction and creates a copy of the processed RMS protected file, which contains the same content, formatting, etc, but without the RMS protection.
The steps execute by the tool are as following:
1. The tool reads in the publishing license and client licensor certificate.
2. It uses the certificates from the previous step to request the content key (from the use license) from the RMS server or the client licensor cache.
3. It reads the encrypted content bytes and
4. uses the RMS API function IpcDecrypt to decrypt the content bytes with the previously acquired content key.
5. The decrypted content bytes are written into a new unprotected file, which can later be opened, for example, by using Microsoft Word.
We extended the first attack to an even more severe one: the second attack makes use of the first attack and goes one step further. After removing the protection (cf. attack 1), we modify the unprotected content of the file.
We then reprotect the file, so that it looks as it would have been created by the original author of the protected file, but contains the content that we have just modified.
## Attack 2: Content modification with *view-only* access right
This attack has the same requirements as the first attack.
Suppose we have removed the protection of one file. We then modify the content of the file and proceed as follows:
1. We use the original protected file and extract the contained RMS License file.
2. Our tool then reads the manipulated and unprotected file that we want to embed in the protected file.
3. The tool reads in the publishing license and client licensor certificate from the files extracted in Step 1.
4. By using these certificates, our too requests the content key from the RMS server or the client cache.
5. The tool pads the read bytes from the unprotected file to fit the 16 byte block size of the encryption algorithm.
6. It then uses the RMS API function IpcEncrypt to encrypt the content bytes with the previous acquired content key.
7. The encrypted content bytes are written into a new file.
8. We finally replace the previously encrypted content with those contained in the original protected RMS file.
The tampered protected document can not be distinguished from the original protected document.
It will look as it would have been created by the original author and only show the correct view access right for the
attacker.
This basically neglects the idea of the view-only RMS protection.
## Demo
- See the examples dir
# MS-RMS-Attacks
For an overview see:
https://web-in-security.blogspot.de/2016/07/how-to-break-microsoft-rights.html
We present two different attacks on Microsoft RMS:
1. Removing the RMS protection from a protected Word document resulting in a totally unprotected document. (decrypter)
2. Content modification of a RMS protectedWord document. (modification-attack)
Both attacks require only the *view-only* access right on the RMS protected file.
This is the minimal right, which can be assigned to a group or user in Microsoft RMS environment.
## Attack 1: Removing the RMS protection
For the first attack, we split the protected document (OLE compound file) into its components (RMS License and EncryptedPackage). This can be achieved, for example, by using 7zip.
We created an attack tool that can be executed by every user of the domain.
The tool removes the protection automatically, without any further interaction and creates a copy of the processed RMS protected file, which contains the same content, formatting, etc, but without the RMS protection.
The steps execute by the tool are as following:
1. The tool reads in the publishing license and client licensor certificate.
2. It uses the certificates from the previous step to request the content key (from the use license) from the RMS server or the client licensor cache.
3. It reads the encrypted content bytes and
4. uses the RMS API function IpcDecrypt to decrypt the content bytes with the previously acquired content key.
5. The decrypted content bytes are written into a new unprotected file, which can later be opened, for example, by using Microsoft Word.
We extended the first attack to an even more severe one: the second attack makes use of the first attack and goes one step further. After removing the protection (cf. attack 1), we modify the unprotected content of the file.
We then reprotect the file, so that it looks as it would have been created by the original author of the protected file, but contains the content that we have just modified.
## Attack 2: Content modification with *view-only* access right
This attack has the same requirements as the first attack.
Suppose we have removed the protection of one file. We then modify the content of the file and proceed as follows:
1. We use the original protected file and extract the contained RMS License file.
2. Our tool then reads the manipulated and unprotected file that we want to embed in the protected file.
3. The tool reads in the publishing license and client licensor certificate from the files extracted in Step 1.
4. By using these certificates, our too requests the content key from the RMS server or the client cache.
5. The tool pads the read bytes from the unprotected file to fit the 16 byte block size of the encryption algorithm.
6. It then uses the RMS API function IpcEncrypt to encrypt the content bytes with the previous acquired content key.
7. The encrypted content bytes are written into a new file.
8. We finally replace the previously encrypted content with those contained in the original protected RMS file.
The tampered protected document can not be distinguished from the original protected document.
It will look as it would have been created by the original author and only show the correct view access right for the
attacker.
This basically neglects the idea of the view-only RMS protection.
## Demo
- See the examples dir
Binary file not shown.
Binary file not shown.
View
Binary file not shown.
View
@@ -1,7 +1,7 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 14
VisualStudioVersion = 14.0.24720.0
VisualStudioVersion = 14.0.25420.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "decrypter", "decrypter\decrypter.vcxproj", "{B076FF48-1177-48B5-8E1E-0568F4E4964E}"
EndProject

This file was deleted.

Oops, something went wrong.

This file was deleted.

Oops, something went wrong.
@@ -1,4 +1,4 @@
; Listing generated by Microsoft (R) Optimizing Compiler Version 19.00.23506.0
; Listing generated by Microsoft (R) Optimizing Compiler Version 19.00.24210.0
; Generated by VC++ for Common Language Runtime
.file "C:\Users\max.mustermann\AppData\Local\Temp\.NETFramework,Version=v4.5.2.AssemblyAttributes.cpp"
Oops, something went wrong.

0 comments on commit e5b9e44

Please sign in to comment.