Headline
Microsoft PlayReady Data Leak
On June 11, 2024, a Microsoft Engineer posted information about a crash that inadvertently leaked internal data related to PlayReady and Warbird libraries.
Hello All,On Jun 11, 2024 Microsoft engineer posted on a public foruminformation about a crash experienced with Apple TV service on aSurface Pro 9 device [1].The post had an attachment - a 771MB file (4GB unpacked), which leakedinternal code (260+ files [2]) pertaining to Microsoft PlayReady suchas the following:- Warbird configuration for building PlayReady library- Warbird library implementing code obfuscation functionality- static libraries with symbolic information either required orrelated to PlayReady client library building, this includes OEM,crypto, ARM TEE / HW related libs a preprocessed C++ header file withPlayReady constants, unpublished classes and their methods declarationIn general the above leaked key information related to PlayReadyinternals and implementation. Leaked data should be sufficient tocompletely reverse engineer Microsoft PlayReady operation (HW basedone in particular).As such, on Jun 12, 2024 we notified Microsoft PlayReady and MSRCabout the leak shortly following its discovery.We verified that it is possible to buildWindows.Media.Protection.PlayReady.dll library (debug build andwithout Warbird encryption / obfuscation) from the leaked code. Afollow up post by another Microsoft engineer provided guidelines onhow to proceed with the building process [4] (this post has been alsoremoved).We also verified that Microsoft Symbol Server didn’t block request forPDB file corresponding to Microsoft internal warbird.dll binary(another leak / bug at Microsoft end).The leak violated Microsoft's own guidelines [5] for posting linkrepro information in public. These guidlines clearly state thefollowing among others:- "All information in reports and any comments and replies arepublicly visible by default"- "Don't put anything you want to keep private in the title or contentof the initial report, which is public"- "To maintain your privacy and keep your sensitive information out ofpublic view, be careful"The described leaks are yet another manifestation of what we have beenalready aware of - the problems and inconsistencies observed atMicrosoft end with respect to PlayReady security and the way secrecyof the implementation is implemented and/or maintained by the company.While Microsoft removed the post (within 12 hours from thenotification), the company hasn't removed the leak itself so far [3].There are some chances this post is to put Microsoft to action though...Thank you.Best Regards,Adam Gowdiak----------------------------------Security Explorations -AG Security Research Labhttps://security-explorations.com----------------------------------References:[1] MSPR leak (screenshot 1) https://security-explorations.com/samples/mspr_leak_screenshot.png[2] MSPR leak (files list) https://security-explorations.com/samples/mspr_leak_files.txt[3] MSPR leak (screenshot 2) https://security-explorations.com/samples/mspr_leak_screenshot2.png[4] MSPR leak (screenshot 3) https://security-explorations.com/samples/mspr_leak_screenshot3.png[5] How to report a problem with the Microsoft C++ toolset ordocumentation (Reports and privacy) https://learn.microsoft.com/en-us/cpp/overview/how-to-report-a-problem-with-the-visual-cpp-toolset?view=msvc-170#reports-and-privacy