Hello All,
On Jun 11, 2024 Microsoft engineer posted on a public forum
information about a crash experienced with Apple TV service on a
Surface Pro 9 device [1].
The post had an attachment - a 771MB file (4GB unpacked), which leaked
internal code (260+ files [2]) pertaining to Microsoft PlayReady such
as the following:
- Warbird configuration for building PlayReady library
- Warbird library implementing code obfuscation functionality
- static libraries with symbolic information either required or
related to PlayReady client library building, this includes OEM,
crypto, ARM TEE / HW related libs a preprocessed C++ header file with
PlayReady constants, unpublished classes and their methods declaration
In general the above leaked key information related to PlayReady
internals and implementation. Leaked data should be sufficient to
completely reverse engineer Microsoft PlayReady operation (HW based
one in particular).
As such, on Jun 12, 2024 we notified Microsoft PlayReady and MSRC
about the leak shortly following its discovery.
We verified that it is possible to build
Windows.Media.Protection.PlayReady.dll library (debug build and
without Warbird encryption / obfuscation) from the leaked code. A
follow up post by another Microsoft engineer provided guidelines on
how to proceed with the building process [4] (this post has been also
removed).
We also verified that Microsoft Symbol Server didn’t block request for
PDB file corresponding to Microsoft internal warbird.dll binary
(another leak / bug at Microsoft end).
The leak violated Microsoft's own guidelines [5] for posting link
repro information in public. These guidlines clearly state the
following among others:
- "All information in reports and any comments and replies are
publicly visible by default"
- "Don't put anything you want to keep private in the title or content
of the initial report, which is public"
- "To maintain your privacy and keep your sensitive information out of
public view, be careful"
The described leaks are yet another manifestation of what we have been
already aware of - the problems and inconsistencies observed at
Microsoft end with respect to PlayReady security and the way secrecy
of the implementation is implemented and/or maintained by the company.
While Microsoft removed the post (within 12 hours from the
notification), the company hasn't removed the leak itself so far [3].
There are some chances this post is to put Microsoft to action though...
Thank you.
Best Regards,
Adam Gowdiak
----------------------------------
Security Explorations -
AG Security Research Lab
https://security-explorations.com
----------------------------------
References:
[1] MSPR leak (screenshot 1)
https://security-explorations.com/samples/mspr_leak_screenshot.png
[2] MSPR leak (files list)
https://security-explorations.com/samples/mspr_leak_files.txt
[3] MSPR leak (screenshot 2)
https://security-explorations.com/samples/mspr_leak_screenshot2.png
[4] MSPR leak (screenshot 3)
https://security-explorations.com/samples/mspr_leak_screenshot3.png
[5] How to report a problem with the Microsoft C++ toolset or
documentation (Reports and privacy)
https://learn.microsoft.com/en-us/cpp/overview/how-to-report-a-problem-with-the-visual-cpp-toolset?view=msvc-170#reports-and-privacy