There is an architectural and design issue in Microsoft's PlayReady which can be successfully exploited to gain access to license server by arbitrary clients. The problem has its origin in flat certificate namespace / reliance on a single root key in PlayReady along with no authentication at the license server end by default (deemed as no bug by Microsoft).
ed22257eef3a2135b2af77d7c2f00a9ce66b0b7c3b3aefd2205eb5140d64e5c9On June 11, 2024, a Microsoft Engineer posted information about a crash that inadvertently leaked internal data related to PlayReady and Warbird libraries.
0f71fa63d28b5ccf3a78398618e02286375e172ff1d63d1f7602e519ca576dbeThe Security Explorations team has come up with two attack scenarios that make it possible to extract private ECC keys used by a PlayReady client (Windows SW DRM scenario) for the communication with a license server and identity purposes. Proof of concept included.
c2dc2010ee36581d568d891c24ac2a0dfd8b8a87de8de3d72f1072bb1e38964aSystemd-run/run0 allocates user-owned ptys and attaches the slave to high privilege programs without changing ownership or locking the pty slave.
15c380418f4bc926342668506e97514b64da3e44af7c265140bf54c41a2ae6b3The Microsoft PlayReady toolkit assists with fake client device identity generation, acquisition of license and content keys for encrypted content, and much more. It demonstrates weak content protection in the environment of CANAL+. The proof of concept exploit 3 year old vulnerabilities in CANAL+ STB devices, which make it possible to gain code execution access to target STB devices over an IP network.
79dab3a7323f19a26d78f497deb3ea0052f2376b984ec830648a755230a60801There is yet another attack possible against Protected Media Path process beyond the one involving two global XOR keys. The new attack may also result in the extraction of a plaintext content key value.
624d62ae93c4eb9ee488a2e78ae15c8b8b941fc79346a6f1e3994060ab88fc9bMicrosoft PlayReady suffers from issues that can lead to disclosure of plaintext keys used to protect DRM'ed content.
28a472f25d72b716bdb5a514be5776a5e12b397df68219d437bd1398ff26e123This is an extension of research on the original findings of CVE-2020-15858 in Telit Cinterion IoT devices. Numerous issues have been discovered including path traversal, Java privilege elevation, AT commands whitelist / blacklist bypass, a heap overflow in fragmented SMS, and more.
abb8c4529f9d5d619b36098b1423bf2e497fc0bebd5da0e83e1d5c9a49803636Security Explorations conducted a security analysis of Microsoft Play Ready content protection technology in the environment of the CANAL+ SAT TV provider. As a result, complete access to movie assets and content keys available in the CANAL+ VOD library could be gained with the use of a fake client device identity. Microsoft and CANAL+ have seemingly decided to ignore this large laundry list of failures.
ae147b5df942976857f81fb745ba330474556562626f4e5abf76e56fe99dca24Security Explorations has discovered multiple security vulnerabilities in the reference implementation of Java Card technology from Oracle used in financial, government, transportation and telecommunication sectors among others. As for the impact, the vulnerabilities found make it possible to break memory safety of the underlying Java Card VM. As a result, full access to smartcard memory could be achieved, applet firewall could be broken or native code execution could be gained. This archive contains the proof of concept code that demonstrates these vulnerabilities which were originally made public in March of 2019.
22ac20b59483601b9077fb4862bb70d8f034648a969c478415328a8d85326acaThis is the second of two extensive reports sent to Gemalto by Security Explorations to document vulnerabilities found in Java Card. Issue 34 is documented in this report.
67d6d552ce4c167529c7cd84de0d0be125a4bdc6728dcd0cc31fb219c9d4011dThis is the first of two extensive reports sent to Gemalto by Security Explorations to document vulnerabilities found in Java Card. Issues 19 and 33 are in this report.
32aca3def4a46b63b9c8e018bba1b57b074ab1a278951e26deaa861e0b140b14This is the third of three extensive reports sent to Oracle by Security Explorations to document vulnerabilities found in Java Card. Issues 26 through 32 are in this report.
8d2b759c1b5a470b8d80314d6c5b026ab6eb6c87410e6af99040f73abe993b0fThis is the second of three extensive reports sent to Oracle by Security Explorations to document vulnerabilities found in Java Card. Issues 20 through 25 are in this report.
223a793bc15195c628f17c4fc553a3c603a66dd2a1b8dff8b24e298ddc831464This is the first of three extensive reports sent to Oracle by Security Explorations to document vulnerabilities found in Java Card. Issues 1 through 18 are in this report.
6c524db6b0b45d01b1e715bfb97219d0ab2f4adb4b4e678d3b24918baa34d69eSecurity Explorations has discovered multiple security vulnerabilities in the reference implementation of Java Card technology from Oracle used in financial, government, transportation and telecommunication sectors among others. As for the impact, the vulnerabilities found make it possible to break memory safety of the underlying Java Card VM. As a result, full access to smartcard memory could be achieved, applet firewall could be broken or native code execution could be gained.
13a1c021f386ea8562db371d87447e51b75f82035a8868806f76394eb2c78f11A multitude of security issues exist within STMicroelectronics DVB chipsets including, but not limited to credential leakage, buffer overflow, and data leaks. This is the full release of both the whitepaper and dozens of proof of concept details.
d213971899e2afa9864a8613af2fd95bc020cf4d68541d24a96d77ad4ad8264cThis detailed research paper discusses a multitude of security issues with STMicroelectronics DVB chipsets including, but not limited to credential leakage, buffer overflow, and data leaks.
15ea626ba332e60b314c81d0c40ab573322f5d2838ec298bfd26ea8118aa6c19This archive holds a 70+ pages long technical paper accompanied by two reverse engineering tools to analyze STMicroelectronics DVB chipsets.
38bffd3496f315e8460e0c28a7d946b77b455c78115e5b31dff9bc4e92356db9The patch for Issue 70 in IBM Java discovered by Security Explorations in 2013 was found to be faulty. Included are the full report and a proof of concept.
24180117b921605ffa337bfcd62c889bf47a2e79be4fd3593f12c7031b1258ceThe patch for Issue 67 in IBM Java discovered by Security Explorations in 2013 was found to be faulty.
05acd35224d6d36ec0c881a14c2437781d3cf225c1d917f2a38924f23726bf48Security Explorations has released details and a proof of concept to bypass a broken security fix found in the Oracle Java SE fix from September, 2013.
01bc25f8f8df246c49b97afca9f4177773fc93680f8d029f118b41c573555d1fIn their original report, Security Explorations indicated that Issue 42 in SE-2014-02 had its origin in klassItable::initialize_itable_for_interface method's implementation of Java SE 7 HotSpot VM. They have recently learned that their initial analysis regarding the root cause of Issue 42 was incorrect. This report contains more detailed information about the actual cause of Issue 42, the reasoning that has mislead them into concluding it was caused by an improper initialization of non-public interface method slots and some additional findings regarding this issue.
926ad5f5f27088ecc130997d08aa12a0ca81902394fe5f1767a391a11cdfa9eaIssue number 42 from SE-2014-02 has been addressed by Oracle. Included in this archive are proof of concepts and information regarding the fix.
7df623023a7204002b65855afccec136cda0d1a4a5470f0bb205626f4b1824feThis is a fun write-up detailing vulnerabilities in Oracle products discovered by the security community and how Oracle CSO Mary Ann Davidson's math on the subject just does not add up. No surprise there.
2da1fcf5b8f0090fe5d0ec336bb7d93cd663a84c8ff4ad87b305664d9081d629
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed