[Dailydave] Vista speach recognition

[Sebastian Krahmer]

On Thu, 1 Feb 2007, George Ou wrote:

BTW, is there a specification which actions by a binary will trigger UAC?
opening sockets? executing command shell?
UAC might be bypassed as well, remember all the kernel
level exploits for Linux, there might be similar ones for Win.  

Sebastian

> Rich verified it will work and you can execute code.  So long as you stay in
> the user-realm, you won't trigger UAC which cannot be bypassed "by default"
> as Microsoft says. 
> 
> -----Original Message-----
> From: Sebastian Krahmer [mailto:krahmer at suse.de] 
> Sent: Thursday, February 01, 2007 1:32 AM
> To: George Ou
> Cc: dailydave at lists.immunitysec.com; 'Rich Mogull'
> Subject: RE: [Dailydave] Vista speach recognition
> 
> On Wed, 31 Jan 2007, George Ou wrote:
> 
> So we do not know yet whether dl'ing and executing user-level binaries
> works? Or does it not work (according to previous mail)?
> 
> Sebastian
> 
> > Doh!  Maybe it was the right assumption that UAC isn't triggered on 
> > user-level executables.  I need to verify but need to wait till I 
> > rebuild my Vista system.  If anyone can verify this why my Vista 
> > system is being repaired, much appreciated.
> > 
> > -----Original Message-----
> > From: George Ou [mailto:george_ou at lanarchitect.net]
> > Sent: Wednesday, January 31, 2007 11:26 AM
> > To: 'Sebastian Krahmer'; 'dailydave at lists.immunitysec.com'; 'Rich Mogull'
> > Subject: RE: [Dailydave] Vista speach recognition
> > 
> > Ah I made a wrong assumption.  Any executable you launch regardless of 
> > whether it attempts to access system files or not will trigger UAC.
> > 
> > The file deletion concept still works though.
> > 
> > George
> > 
> > -----Original Message-----
> > From: George Ou [mailto:george_ou at lanarchitect.net]
> > Sent: Wednesday, January 31, 2007 3:09 AM
> > To: 'Sebastian Krahmer'; 'dailydave at lists.immunitysec.com'; 'Rich Mogull'
> > Subject: RE: [Dailydave] Vista speach recognition
> > 
> > I just verified that TinyURL.com will give you a nice URL to an
> executable.
> > 
> > Here's an example of a URL that opens a .EXE file.
> > http://tinyurl.com/3d588b
> > 
> > Now imagine that this was actually a user-mode malicious payload that 
> > avoids triggering UAC which contains ransomware.  It's very easy to 
> > use Vista speech command open IE7 and say "tinyURL.com/3d588b", 
> > "enter", "run".  That will actually download and launch your desired 
> > payload from any website and TinyURL will make it easy to say.  This 
> > is actually easier than my successful document-deleting recycle bin 
> > emptying test because it's a shorter script.
> > 
> > 
> > 
> > George
> > 
> 
> --
> ~
> ~ perl self.pl
> ~ $_='print"\$_=\47$_\47;eval"';eval
> ~ krahmer at suse.de - SuSE Security Team
> ~
> 
> 

-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.de - SuSE Security Team
~