lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CADbNDXEoPwJF9PWU89Ku4gbiEehuXDKQmmu9p5NvmDY3gdhX_Q@mail.gmail.com>
Date: Mon, 6 May 2024 10:52:07 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: fulldisclosure@...lists.org
Subject: [FD] Microsoft PlayReady toolkit - codes release

Hello All,

We released codes for "Microsoft PlayReady toolkit", a tool that has
been developed as part of our research from 2022:

https://security-explorations.com/microsoft-playready.html#details

The toolkit illustrates the following:
- fake client device identity generation,
- acquisition of license and content keys for encrypted content,
- downloading and decryption of content,
- content inspection (MPEG-4 file format),
- Manifest files inspection,
- combination of content fragments into single, ready to play or
distribute, plaintext movie file,
- watermarking detection / checks,
- CDN auth bypass,
- license crawling,
- automatic content security check for Canal+ environment.

Please, note that due to “not fixed” status (Microsoft didn't revoke
group cert and Canal+ didn't implement auth checks for license server
among others) the following has been removed from the public package:
- crypto secrets such as STB private keys, PlayReady private group
key, Canal+ client SSL certificates, CDN / VOD secrets,
- STB PlayReady binary
- reverse engineering API traces
- functionality pertaining to VOD purchases / orders (online and SMS
based, affecting users' billing)

As such, the toolkit is not "functional / ready to use" (the codes
cannot be used for the piracy of Canal+ VOD content without the
missing secrets).
Yet, we hope the released codes help both security researchers
interested in PayTV / content security along content providers gain a
more in-depth understanding of Microsoft PlayReady technology
operation and its limitations. We hope it helps others avoid some
mistakes too.

Thank you.

Best Regards,
Adam Gowdiak

----------------------------------
Security Explorations -
AG Security Research Lab
https://security-explorations.com
----------------------------------
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ