25th USENIX Security Symposium has ended
Back To Schedule
Monday, August 8 • 11:30am - 12:00pm
How to Break Microsoft Rights Management Services

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Rights Management Services (RMS) are used to enforce access control in a distributed environment, and to cryptographically protect companies’ assets by restricting access rights, for example, to view-only, edit, print, etc., on a per-document basis. One of the most prominent RMS implementations is Microsoft RMS. It can be found in Active Directory (AD) and Azure. Previous research concentrated on generic weaknesses of RMS, but did not present attacks on real world systems.

We provide a security analysis of Microsoft RMS and present two working attacks: (1.)We completely remove the RMS protection of a Word document on which we only have a view-only permission, without having the right to edit it. This shows that in contrast to claims made by Microsoft, Microsoft RMS can only be used to enforce all-or-nothing access. (2.) We extend this attack to be stealthy in the following sense: We show how to modify the content of an RMS write-protectedWord document issued by our victim. The resulting document still claims to be write protected, and that the modified content was generated by the victim. We show that these attacks are not limited to local instances of Microsoft AD, and can be extended to Azure RMS and Office 365. We responsibly disclosed our findings to Microsoft. They acknowledged our findings (MSRC Case 33210).


Martin Grothe

Ruhr-University Bochum
avatar for Christian Mainka

Christian Mainka

Security Consultant, Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security... Read More →

Jörg Schwenk

Ruhr-University Bochum

Monday August 8, 2016 11:30am - 12:00pm PDT
Texas Ballroom 1

Attendees (3)