[Dailydave] Vista speach recognition
George Ou
george_ou at lanarchitect.net
Tue Jan 30 23:51:49 EST 2007
I ran some more tests and here is a very realistic scenario.
1. Website says "start listening" to toggle an idle speech system in Vista
to listening mode.
2. Website says "start", "windows explorer"
3. Website says "downloads", "documents", 3, OK, to toggle to downloads
then back to documents and highlights the documents folder.
4. Website says "delete", "yes".
5. Website says "show desktop", "recycle bin", "empty", "yes".
I tested this scenario and it works. Yes you need to actually catch the
user off-guard and they would have had to turn on speech recognition at some
point which then autoloads speech in Vista from that point on. This does
not require user interaction other than clicking on a URL to visit a website
and this does not trigger UAC security warnings. Websites routinely run
audio without requiring user interaction, just check out all those anoying
MySpace websites. It just zaps any folder the website wants to zap.
What surprised me was that the audio playback level did not need to be that
high and it was able to wake a sleeping speech command system.
I believe it's also possible to start IE7 and download a custom payload,
then be able to run that payload without triggering UAC and the payload
could encrypt user files for ransom without triggering UAC. Then it's
possible to open notepad and type in a message stating "I want $xxxx sent
here if you ever want to see your files in clear text again". All this
without triggering UAC or Secure Desktop in Vista. Note that I have not
tested this scenario.
George
_____
From: Rich Mogull [mailto:rmogull-dd at securosis.com]
Sent: Tuesday, January 30, 2007 5:06 PM
To: George Ou
Cc: 'Dave Aitel'; dailydave at lists.immunitysec.com
Subject: Re: [Dailydave] Vista speach recognition
I just tested this on Vista and it works.
Running Vista Ultimate in Parallels on my Mac I enabled voice commands, then
recorded a simple command and played it back. Using the mic and speakers on
my Mac the commands executed. Sound quality was actually terrible because of
poor Vista performance in the VM.
But UAC seems to stop it. At the suggestion of Dave Maynor I tried to create
a new user account. The usual UAC window popped up and no voice commands
seemed to work.
I suspect anything that avoids the "final" (greyed out background) UAC
dialogs will work, but looks like UAC stops it. At least in my quick test...
-rich
On Jan 30, 2007, at 2:27 PM, George Ou wrote:
Voice command is autoloaded if you calibrate the system and enable Voice
commands. You can actually activate voice command mode by saying a certain
phrase. If this exploit works, you could say that phrase first and then
start your commands. Then you'd say "start", "cmd", "enter", then bark out
the commands you want. This assumes it works and that no one near the PC
gets suspicious :).
George
_____
From: dailydave-bounces at lists.immunitysec.com
[mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave Aitel
Sent: Tuesday, January 30, 2007 12:48 PM
To: dailydave at lists.immunitysec.com
Subject: Re: [Dailydave] Vista speach recognition
That's a great idea! If the Microsoft people have thought of it, no doubt
they ignore any sound coming out of the speakers, so you'll have to rely on
an echo effect. Essentially you can always win if your model of the acoustic
properties of the room is better than Vistas. :> Many speech recognition
systems I've seen require the user to press a button first, of course. :> I
haven't tested Vista's. I have, however, gotten CANVAS working on Vista. (
http://www.immunityinc.com/images/CANVAS_on_Vista.png). So far I recommend
it over Windows XP SP2 because I think they removed that broken limitation
from the TCP stack where you could only make 5 connections at once.
Also, here is an article about Evgeny! ok. Not entirely about Evgeny. Mostly
about people buying bugs. For someone who's wife is a lawyer in this field,
there's a lot of "apparently legal" talk in it. It's just plain legal!
Everybody deal.
http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1
<http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1&_r=1>
&_r=1
-dave
On 1/30/07, Sebastian Krahmer <krahmer at suse.de <mailto:krahmer at suse.de> >
wrote:
Hi,
I am in no way an Win expert but recently I read that
vista will support commands as they are spoken by the user.
What about websites where the browser is playing wav or similar
audio files upon visiting? what if they contain spoken
commands? An exploit audio file which speaks something like
'open shell' would be cool, eh?
Sebastian
--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.de - SuSE Security Team
~
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070130/dc00aa4b/attachment-0001.htm
More information about the Dailydave
mailing list