RE: FAX a virus

["Craig Wright" <cwright () bdosyd com au>]

Hello,
Again, I have asked for a proof. Not a look at the standard (which does nothing - even to the concept). You seem to be 
this time making an implication that a fuzzing attack will work? No details or even the nature of the attack are in the 
email however.

So Sorry, but stating see T.37 is not a proof. It is not a concept of a proof.

I am not stuck on the idea of a fax machine. Again I would assume that you are trying to imply a fuzzing attack? If so, 
please elaborate. You can not prove something by stating that it must be possible as there is email somewhere in the 
process.

I reiterate. Please detail a proof.

Craig

________________________________

From: Daniel Anderson [mailto:dtndan () gmail com]
Sent: Wed 7/03/2007 5:42 PM
To: Craig Wright
Cc: Nick Duda; security-basics () securityfocus com; Bob Radvanovsky
Subject: Re: FAX a virus


Read ITU T.37

If you cannot see how a malicious "on ramp" (you could really skip the on ramp all together and just send the e-mail 
with the payload) and an "off ramp" (or even an end user system) with a vulnerable tiff library could be a problem then 
this discussion is hopeless.

You seem to be stuck thinking that FAX requires FAX machines, analog signals, scanning documents and phone lines. 

(For those of you who could care less about FOIP and the ITU....T.37 is store and forward faxing in which the 
"document" is encoded as a MIME attached TIFF at the on ramp and is then sent via an IP network as SMTP to the off ramp 
which could then send the TIFF to a computer-based recipient or can also convert the TIFF back into analog T.30 style 
signals for printing.)

http://www.cisco.com/warp/public/788/voip/T37-store-forward-fax.html

Dan





On 3/6/07, Craig Wright <cwright () bdosyd com au > wrote:


        Sorry Daniel, it does not suffice to state that Fax is digital therefore
        it must be vulnerable.

        Please do bring up another case. I am happy to analyse it. As I have
        stated, scientific process required that you prove a condition. I will
        happily shoot down any of the theretical conditions that are being
        suggested however.

        You can not send digital data through a fax line (computer to computer
        or not) in order to cause a buffer overflow. Error correction is
        adaequate to send textual information with a moderate degree of success
        and few errors. However, the level of white noise rejection is too high
        to send anything that can result in a buffer overflow.

        Fuzzing has already been brought up and shown to be the wrong approach.
        Tiff libray attachs all reqiure direct manipulation of the saved digital
        data. When sending an image, the scan is converted and reprocessed. So
        this can not work.

        Please !!! Prove me wrong ! You state that I am - prove it! Supply some
        evidence other than stating I am ranting and proive your accusations. I
        have never stated I am nice and I know I am not diplomatic, but prove me
        wrong.

        Craig

        -----Original Message-----
        From: Daniel Anderson [mailto: dtndan () gmail com <mailto:dtndan () gmail com>  ]
        Sent: Wednesday, 7 March 2007 12:18 PM
        To: Craig Wright
        Cc: Nick Duda; anonymous () email com; security-basics () securityfocus com
        Subject: Re: FAX a virus

        Nick, I wouldn't waste my time.  Craig seems to want to hear himself
        rant today.

        You can tell because he is screaming about FUD, making cracks about who
        is "professional" and who is not, bringing in lots of nonrelated info,
        and giving us unnecessary background info, but not useful info like
        current ITU standards, T.30, T.38, etc.

        Suffice it to say that FAX has grown up into a digital data protocol,
        and there are various potential areas that could be explored once you
        get your head around the fact that a FAX no longer has to involve paper
        any more and, if it is ever analog, is only analog for the physical bit
        between the modems (which really doesn't matter one way or the other).

        While the OP suggested a situation that could not really occur (inject
        macro type virus over FAX) a variety of buffer overflows (driver, tiff
        libraries, PDF libraries, etc), etc should be analyzed and not merely
        declared as "FUD, FUD, FUD".

        Dan


        On 3/6/07, Craig Wright <cwright () bdosyd com au > wrote:


                No, the attach is not against the fax. It is not via the fax
        comms. It
                is simply an attack against a cisco over IP that you are
        assuming.

                The cisco can not be attacked in the manner you suggest.

                Please feel free to prove me wrong.

                Craig

                -----Original Message-----
                From: Nick Duda [mailto:nduda () VistaPrint com ]
                Sent: Wednesday, 7 March 2007 4:18 AM
                To: Craig Wright; anonymous () email com
        <mailto: anonymous () email com <mailto:anonymous () email com> > ; security-basics () securityfocus com
                Subject: RE: FAX a virus

                Fax machine + Cisco ATA + IP + CallManager = Fax machine

                Fax machine can = software

                Fax can be IP/Software based....a possible vector for an attack.

                ________________________________

                From: listbounce () securityfocus com on behalf of Craig Wright
                Sent: Fri 3/2/2007 11:51 PM
                To: anonymous () email com; security-basics () securityfocus com
                Subject: RE: FAX a virus




                FAX!
                There is NO UDP/IP port. NO TCP/IP port. No IP Address.


                FAX is not IP based.


                Not theory at all. FUD!


                Craig

                ________________________________

                From: listbounce () securityfocus com
        <mailto: listbounce () securityfocus com <mailto:listbounce () securityfocus com> >  on behalf of anonymous () 
email com
                Sent: Fri 2/03/2007 6:31 AM
                To: security-basics () securityfocus com
                Subject: Re: FAX a virus



                Perhaps something along these lines:

                Dependant on resolving the phone number to an IP address of
        course, but
                once that information is found either through social engineering
        or voip
                probes you could use nmap to find which port is working as the
        fax
                reciever then attempt to determine the type of fax machine and
        from
                there if you knew assembly could *possibly (if the fax machine
        allowed
                remote firmware upgrades) rewrite the firmware of the machine
        itself but
                a more practical method would be to temporarily store
        information in the
                buffer of the fax machine (this would cause garbage to be
        printed for
                one thing which would be a big annoyance).

                And from what you have described from your setup the software
        itself may
                be vulnerable to memory bounds checks etc. You would want to
        research
                the software using lists such as this if you are truely afraid
        of
                vulnerabilities in your fax application.

                Again this is more theoretical then practical but you get the
        idea.


        ------------------------------------------------------------------------
                ---
                This list is sponsored by: BigFix

                If your IT fails, you're out of business - or worse.  Arm your
                enterprise with BigFix, the single converged IT security and
        operations
                engine. BigFix enables continuous discovery, assessment,
        remediation,
                and enforcement for complex and distributed IT environments in
        real-time
                from a single console.
                Think what's next. Think BigFix.


        http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/
                ITNext/

        ------------------------------------------------------------------------

                ---




                Liability limited by a scheme approved under Professional
        Standards
                Legislation in respect of matters arising within those States
        and
                Territories of Australia where such legislation exists.

                DISCLAIMER
                The information contained in this email and any attachments is
                confidential. If you are not the intended recipient, you must
        not use or
                disclose the information. If you have received this email in
        error,
                please inform us promptly by reply email or by telephoning +61 2
        9286
                5555. Please delete the email and destroy any printed copy.


                Any views expressed in this message are those of the individual
        sender.
                You may not rely on this message as advice unless it has been
                electronically signed by a Partner of BDO or it is subsequently
                confirmed by letter or fax signed by a Partner of BDO.

                BDO accepts no liability for any damage caused by this email or
        its
                attachments due to viruses, interference, interception,
        corruption or
                unauthorised access.



                Liability limited by a scheme approved under Professional
        Standards Legislation in respect of matters arising within those States
        and Territories of Australia where such legislation exists.

                DISCLAIMER
                The information contained in this email and any attachments is
        confidential. If you are not the intended recipient, you must not use or
        disclose the information. If you have received this email in error,
        please inform us promptly by reply email or by telephoning +61 2 9286
        5555. Please delete the email and destroy any printed copy.

                Any views expressed in this message are those of the individual
        sender. You may not rely on this message as advice unless it has been
        electronically signed by a Partner of BDO or it is subsequently
        confirmed by letter or fax signed by a Partner of BDO.

                BDO accepts no liability for any damage caused by this email or
        its attachments due to viruses, interference, interception, corruption
        or unauthorised access.




        Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising 
within those States and Territories of Australia where such legislation exists.

        DISCLAIMER
        The information contained in this email and any attachments is confidential. If you are not the intended 
recipient, you must not use or disclose the information. If you have received this email in error, please inform us 
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

        Any views expressed in this message are those of the individual sender. You may not rely on this message as 
advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax 
signed by a Partner of BDO.

        BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.




Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.