{"id":57649,"date":"2024-06-21T16:50:22","date_gmt":"2024-06-21T13:50:22","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179174\/msplayready-leak.txt"},"modified":"2024-06-21T16:50:22","modified_gmt":"2024-06-21T13:50:22","slug":"microsoft-playready-data-leak","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/microsoft-playready-data-leak\/","title":{"rendered":"Microsoft PlayReady Data Leak"},"content":{"rendered":"

Hello All,<\/p>\n

On Jun 11, 2024 Microsoft engineer posted on a public forum
information about a crash experienced with Apple TV service on a
Surface Pro 9 device [1].<\/p>\n

The post had an attachment – a 771MB file (4GB unpacked), which leaked
internal code (260+ files [2]) pertaining to Microsoft PlayReady such
as the following:
– Warbird configuration for building PlayReady library
– Warbird library implementing code obfuscation functionality
– static libraries with symbolic information either required or
related to PlayReady client library building, this includes OEM,
crypto, ARM TEE \/ HW related libs a preprocessed C++ header file with
PlayReady constants, unpublished classes and their methods declaration<\/p>\n

In general the above leaked key information related to PlayReady
internals and implementation. Leaked data should be sufficient to
completely reverse engineer Microsoft PlayReady operation (HW based
one in particular).<\/p>\n

As such, on Jun 12, 2024 we notified Microsoft PlayReady and MSRC
about the leak shortly following its discovery.<\/p>\n

We verified that it is possible to build
Windows.Media.Protection.PlayReady.dll library (debug build and
without Warbird encryption \/ obfuscation) from the leaked code. A
follow up post by another Microsoft engineer provided guidelines on
how to proceed with the building process [4] (this post has been also
removed).<\/p>\n

We also verified that Microsoft Symbol Server didn\u2019t block request for
PDB file corresponding to Microsoft internal warbird.dll binary
(another leak \/ bug at Microsoft end).<\/p>\n

The leak violated Microsoft’s own guidelines [5] for posting link
repro information in public. These guidlines clearly state the
following among others:
– “All information in reports and any comments and replies are
publicly visible by default”
– “Don’t put anything you want to keep private in the title or content
of the initial report, which is public”
– “To maintain your privacy and keep your sensitive information out of
public view, be careful”<\/p>\n

The described leaks are yet another manifestation of what we have been
already aware of – the problems and inconsistencies observed at
Microsoft end with respect to PlayReady security and the way secrecy
of the implementation is implemented and\/or maintained by the company.<\/p>\n

While Microsoft removed the post (within 12 hours from the
notification), the company hasn’t removed the leak itself so far [3].<\/p>\n

There are some chances this post is to put Microsoft to action though…<\/p>\n

Thank you.<\/p>\n

Best Regards,
Adam Gowdiak<\/p>\n

———————————-
Security Explorations –
AG Security Research Lab
https:\/\/security-explorations.com
———————————-<\/p>\n

References:
[1] MSPR leak (screenshot 1)
https:\/\/security-explorations.com\/samples\/mspr_leak_screenshot.png
[2] MSPR leak (files list)
https:\/\/security-explorations.com\/samples\/mspr_leak_files.txt
[3] MSPR leak (screenshot 2)
https:\/\/security-explorations.com\/samples\/mspr_leak_screenshot2.png
[4] MSPR leak (screenshot 3)
https:\/\/security-explorations.com\/samples\/mspr_leak_screenshot3.png
[5] How to report a problem with the Microsoft C++ toolset or
documentation (Reports and privacy)
https:\/\/learn.microsoft.com\/en-us\/cpp\/overview\/how-to-report-a-problem-with-the-visual-cpp-toolset?view=msvc-170#reports-and-privacy<\/p>\n","protected":false},"excerpt":{"rendered":"

Hello All, On Jun 11, 2024 Microsoft engineer posted on a public foruminformation about a crash experienced with Apple TV service on aSurface Pro 9 device [1]. The post had an attachment – a 771MB file (4GB unpacked), which leakedinternal code (260+ files [2]) pertaining to Microsoft PlayReady suchas the following:– Warbird configuration for building …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57649","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57649","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57649"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57649\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57649"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57649"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57649"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}