A vulnerability called 'Keyhole' that allows free apps to forge Windows licenses has been discovered and has already been fixed
A research team at
Keyhole | MAS
https://massgrave.dev/blog/keyhole
CLiP is a system primarily intended for the implementation of DRM for Microsoft Store apps and for Windows activation integration, allowing users to purchase digital licenses for Windows through the Microsoft Store.
The research team discovered that an ECDSA key was stored unencrypted in the file of ClipUp, a program that converts Windows 8 store licenses, genuine tickets, and product keys into digital licenses. This key was originally intended to sign temporary licenses sent to the Microsoft Store, but it was possible to use this key to sign XML licenses in the same way as genuine Microsoft products.
The license manager ClipSvc was able to accept this XML license, bypassing user-mode level security checks. Furthermore, the kernel-mode driver ClipSvc did not properly check the data added after the signature block, allowing the attacker to modify the license information after signing. This allows an attacker to modify a legitimate license and create a new license.
The research team reported that they were able to exploit this vulnerability by installing a genuine free app from the Microsoft Store, capturing the traffic during the installation, intercepting the license, and packaging it into an XML file to activate Windows.
For MASSGRAVE, an open source Windows activator developer, the discovery of this vulnerability was welcomed, but the same vulnerability was reported by Cisco TALOS, which quickly fixed it, so the MASSGRAVE research team decided it was fair to make the Keyhole research findings public.
According to the MASSGRAVE research team, the ClipSp code is of very low quality and contains a lot of copy-and-paste. In particular, much of it was diverted from the Xbox One's secure processor code, and the Xbox One also had similar bugs.
Related Posts:
in Software, Web Service, Security, Posted by log1i_yk