[Dailydave] Vista speach recognition

George Ou george_ou at lanarchitect.net
Thu Feb 1 05:04:58 EST 2007 

Rich verified it will work and you can execute code.  So long as you stay in
the user-realm, you won't trigger UAC which cannot be bypassed "by default"
as Microsoft says. 

-----Original Message-----
From: Sebastian Krahmer [mailto:krahmer at suse.de] 
Sent: Thursday, February 01, 2007 1:32 AM
To: George Ou
Cc: dailydave at lists.immunitysec.com; 'Rich Mogull'
Subject: RE: [Dailydave] Vista speach recognition

On Wed, 31 Jan 2007, George Ou wrote:

So we do not know yet whether dl'ing and executing user-level binaries
works? Or does it not work (according to previous mail)?

Sebastian

> Doh!  Maybe it was the right assumption that UAC isn't triggered on 
> user-level executables.  I need to verify but need to wait till I 
> rebuild my Vista system.  If anyone can verify this why my Vista 
> system is being repaired, much appreciated.
> 
> -----Original Message-----
> From: George Ou [mailto:george_ou at lanarchitect.net]
> Sent: Wednesday, January 31, 2007 11:26 AM
> To: 'Sebastian Krahmer'; 'dailydave at lists.immunitysec.com'; 'Rich Mogull'
> Subject: RE: [Dailydave] Vista speach recognition
> 
> Ah I made a wrong assumption.  Any executable you launch regardless of 
> whether it attempts to access system files or not will trigger UAC.
> 
> The file deletion concept still works though.
> 
> George
> 
> -----Original Message-----
> From: George Ou [mailto:george_ou at lanarchitect.net]
> Sent: Wednesday, January 31, 2007 3:09 AM
> To: 'Sebastian Krahmer'; 'dailydave at lists.immunitysec.com'; 'Rich Mogull'
> Subject: RE: [Dailydave] Vista speach recognition
> 
> I just verified that TinyURL.com will give you a nice URL to an
executable.
> 
> Here's an example of a URL that opens a .EXE file.
> http://tinyurl.com/3d588b
> 
> Now imagine that this was actually a user-mode malicious payload that 
> avoids triggering UAC which contains ransomware.  It's very easy to 
> use Vista speech command open IE7 and say "tinyURL.com/3d588b", 
> "enter", "run".  That will actually download and launch your desired 
> payload from any website and TinyURL will make it easy to say.  This 
> is actually easier than my successful document-deleting recycle bin 
> emptying test because it's a shorter script.
> 
> 
> 
> George
> 

--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.de - SuSE Security Team
~

More information about the Dailydave mailing list