Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vista speach recognition

From: "Ross Brown" <rbrown () eeye com>
Date: Tue, 30 Jan 2007 20:52:04 -0800
It would seem to me that you could use this to do some things that overcome other security features, like using the 
speech flaw to open an Instant Message or Skype session to create an outbound connection to a remote user, defeating 
some firewall protections.

Why they didn't just go ahead and figure "doh, these OS/X guys prolly did this for a reason is beyond me.

RB

-----Original Message-----
From: dailydave-bounces () lists immunitysec com
To: 'Rich Mogull'
CC: dailydave () lists immunitysec com
Sent: Tue Jan 30 17:09:51 2007
Subject: Re: [Dailydave] Vista speach recognition

It won't bypass UAC and it won't let you have the command prompt control.  You can open the command prompt but it won't 
actually run commands.  However, you can wake an idle speech system, interact with the desktop, delete user files, and 
do all this without user interaction or ever triggering UAC or Secure Desktop.  That sounds like a serious remote 
exploit to me.  There are mitigating factors of course, but it's still pretty serious.  I figured this was too obvious 
to be an exploit, but I figured wrong.
 
 
George

________________________________

From: Rich Mogull [mailto:rmogull-dd () securosis com] 
Sent: Tuesday, January 30, 2007 5:06 PM
To: George Ou
Cc: 'Dave Aitel'; dailydave () lists immunitysec com
Subject: Re: [Dailydave] Vista speach recognition


I just tested this on Vista and it works. 

Running Vista Ultimate in Parallels on my Mac I enabled voice commands, then recorded a simple command and played it 
back. Using the mic and speakers on my Mac the commands executed. Sound quality was actually terrible because of poor 
Vista performance in the VM.

But UAC seems to stop it. At the suggestion of Dave Maynor I tried to create a new user account. The usual UAC window 
popped up and no voice commands seemed to work.

I suspect anything that avoids the "final" (greyed out background) UAC dialogs will work, but looks like UAC stops it. 
At least in my quick test...

-rich


On Jan 30, 2007, at 2:27 PM, George Ou wrote:


        Voice command is autoloaded if you calibrate the system and enable Voice commands. You can actually activate 
voice command mode by saying a certain phrase. If this exploit works, you could say that phrase first and then start 
your commands. Then you'd say "start", "cmd", "enter", then bark out the commands you want. This assumes it works and 
that no one near the PC gets suspicious :).
                        George

________________________________

        From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf 
Of Dave Aitel
        Sent: Tuesday, January 30, 2007 12:48 PM
        To: dailydave () lists immunitysec com
        Subject: Re: [Dailydave] Vista speach recognition
        
        
        That's a great idea! If the Microsoft people have thought of it, no doubt they ignore any sound coming out of 
the speakers, so you'll have to rely on an echo effect. Essentially you can always win if your model of the acoustic 
properties of the room is better than Vistas. :> Many speech recognition systems I've seen require the user to press a 
button first, of course. :> I haven't tested Vista's. I have, however, gotten CANVAS working on Vista. ( 
http://www.immunityinc.com/images/CANVAS_on_Vista.png). So far I recommend it over Windows XP SP2 because I think they 
removed that broken limitation from the TCP stack where you could only make 5 connections at once. 
        
        Also, here is an article about Evgeny! ok. Not entirely about Evgeny. Mostly about people buying bugs. For 
someone who's wife is a lawyer in this field, there's a lot of "apparently legal" talk in it. It's just plain legal! 
Everybody deal. 
        http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1&_r=1 
<http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1&_r=1> 
        
        -dave
        
        
        On 1/30/07, Sebastian Krahmer <krahmer () suse de > wrote: 


                Hi,
                
                I am in no way an Win expert but recently I read that
                vista will support commands as they are spoken by the user.
                What about websites where the browser is playing wav or similar
                audio files upon visiting? what if they contain spoken
                commands? An exploit audio file which speaks something like 
                'open shell' would be cool, eh?
                
                Sebastian
                
                
                --
                ~
                ~ perl self.pl
                ~ $_='print"\$_=\47$_\47;eval"';eval
                ~ krahmer () suse de - SuSE Security Team 
                ~
                
                _______________________________________________
                Dailydave mailing list
                Dailydave () lists immunitysec com
                http://lists.immunitysec.com/mailman/listinfo/dailydave
                


        _______________________________________________
        Dailydave mailing list
        Dailydave () lists immunitysec com
        http://lists.immunitysec.com/mailman/listinfo/dailydave



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: