News AI
September 7th, 2024

Keyhole – Forge own Windows Store licenses

A newly discovered exploit named "Keyhole" allows bypassing Microsoft's Client Licensing Platform, enabling unauthorized license creation for Microsoft products. Researchers shared their findings after Cisco TALOS reported the vulnerability.

Read original articleLink Icon
CuriosityFrustrationSkepticism
Keyhole – Forge own Windows Store licenses

The blog post discusses a newly discovered exploit named "Keyhole," which allows users to bypass Microsoft's Client Licensing Platform (CLiP) and activate any Microsoft Store app or Windows edition. The researchers found that a valid ECDSA key for signing XML licenses is stored in an unobfuscated form within the clipup.exe binary, enabling unauthorized license creation. By manipulating license blocks, they discovered that data placed after the signature block is not checked, allowing them to override existing license data. This exploit effectively undermines CLiP's DRM system, enabling the creation of licenses for various Microsoft products, including Windows itself. The researchers initially celebrated their findings but later learned that Cisco TALOS had reported the same vulnerability to Microsoft, categorizing it as a "privilege escalation." The researchers expressed disappointment over the lack of recognition for their work and the subsequent patch that would close the exploit. They have since released their findings and tools for others to explore CLiP further.

- The "Keyhole" exploit allows bypassing Microsoft's CLiP for unauthorized license creation.

- A valid ECDSA key in clipup.exe enables signing of XML licenses.

- License blocks can be manipulated by placing data after the signature block, overriding previous data.

- Cisco TALOS reported the vulnerability to Microsoft, leading to a patch that closes the exploit.

- The researchers have shared their findings and tools for further exploration of CLiP.

Related

EU gave CrowdStrike the keys to the Windows kernel, claims Microsoft

EU gave CrowdStrike the keys to the Windows kernel, claims Microsoft

Microsoft raised concerns about EU granting CrowdStrike access to Windows kernel in 2009. Third-party software's deep integration in the system architecture is questioned, highlighting risks of disruptions. Microsoft's response to CrowdStrike chaos is pending.

EU gave CrowdStrike keys to Windows kernel, Microsoft claims

EU gave CrowdStrike keys to Windows kernel, Microsoft claims

Microsoft claims EU granted CrowdStrike access to Windows kernel in 2009 for interoperability. Concerns arise over third-party software's deep integration. Microsoft not blamed for recent chaos caused by CrowdStrike update.

Hackers bypass Windows SmartScreen flaw to launch malware

Hackers bypass Windows SmartScreen flaw to launch malware

Cybercriminals are exploiting a Microsoft Defender vulnerability (CVE-2024-21412) to install malware undetected. Many systems remain unpatched, making them vulnerable. Users should update Windows and be cautious with email attachments.

The Wild West of Proof of Concept Exploit Code (PoC)

The Wild West of Proof of Concept Exploit Code (PoC)

CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.

Secure Boot useless on PCs from major vendors after key leak

Secure Boot useless on PCs from major vendors after key leak

A study by Binarily found that hundreds of PCs from major manufacturers are vulnerable due to a leaked 12-year-old test platform key, allowing attackers to bypass Secure Boot protections.

AI: What people are saying
The comments reflect a mix of reactions to the "Keyhole" exploit and its implications for Microsoft products.
  • Many users express interest in using the exploit to access games and applications for free, particularly Xbox games and specific Windows apps.
  • Concerns are raised about the potential for Microsoft to quickly patch the exploit, limiting its effectiveness.
  • Some commenters discuss the broader implications of Microsoft's licensing practices and DRM strategies, questioning their impact on user security.
  • There are mentions of previous methods for bypassing licensing checks, indicating a history of similar exploits.
  • Criticism of the article's professionalism and the manner in which the exploit was reported is noted.
Link Icon 18 comments
By @Tepix - 4 months
So, just stating the obvious, you can now (¥) download all xbox games directly from the microsoft store for free? I.e. the xbox is - for now - as completely hacked as the PS Vita?

(¥) you might have to figure out some details

By @nicolas_t - 4 months
Now I just wish this could give me a license to install the Lego Boost for Windows 10 app that used to be on the windows store until 2020...

From my understanding, if you have the license, then you can still download it but it's not available for new users.

By @layer8 - 4 months
If I read this correctly, Microsoft will be able to reduce the applicability of the temporary-license signing key, meaning that you probably won’t be able to generate permanent licenses for long.
By @throwaway48476 - 4 months
Can this be used to enable the HEVC extension without a M$ account? It's so frustrating they can't license the patents as a lump sum.
By @libertine - 4 months
This sort of thing over decades has been the best distribution and communication channel for Windows.
By @Jerrrrrrry - 4 months
ironically, I will be using un-ironically to play Guitar Hero games that I have the physically discs to, on retail hardware, that has the games installed, but not "licensed" to play without physical tethering of the disc in the failed DVD drive.

The double irony is that, even if it works, I may not be able to read my own game-saves since the Console's own public key is on the revocation list. I could sidestep this by resigning the CON files with the default value, 0.

The triple irony may be forthcoming yet. this all looks very familiar indeed.

fuckin brilliant

By @thund - 4 months
In case your antivirus is censoring the page: https://archive.is/90XGW
By @nixosbestos - 4 months
Clip has been around longer than the Xbox One though?
By @AshamedCaptain - 4 months
After reading the article, and specially the remarks about this engine being copy-pasted from the Xbox DRM engine , does anyone still believe that Pluton, also copy-pasted from the Xbox, is about end user security? And not totally about MS finally having enforceable DRM on PCs?

Oh and by the way Pluton is now on the latest batch of Intel laptop chips. And has been on AMDs for a while. How soon until Windows requires it?

By @loeg - 4 months
> As it turns out, data after the signature block isnt checked at all... and it can even override data that came before it. Whenever two blocks of the same type are stored together, the last one overrides all the others before it. So, if we want to change any license data, we can just make a block for it and put it after the signature block!

Amazing.

By @thrownawaysz - 4 months
MAS (which is also hosted on Github) is the perfect example of Microsoft not caring about end user piracy. Just use it.
By @a1o - 4 months
Does anyone knows a good way to activate MS Office on macOS ? Doesn't matter how many times I buy the thing it eventually forgets the license and calling Microsoft Support usually doesn't result in anything. One day Office starts complaining that it's not activated and then it eventually locks me out of it. It would be nice if the Office license on macOS actually worked but if there's an easy solution for activation I wouldn't look back.
By @antimemetics - 4 months
For my personal use I found it trivial to activate my Win10 Professional. I just had to change the server address for the license check and boom fully activated. Not gonna share the specifics here but you can find it easily.

I guess the method described here does „more“ since it’s much more elaborate. Not super familiar with the different levels of win licences

By @vednig - 4 months
> which we independently uncovered around the same time it was reported to Microsoft

highly suspicious

By @bloqs - 4 months
So this is now patched? And this works on xbox store too?
By @HL33tibCe7 - 4 months
> massgrave.dev

Bit gross to be honest