[Dailydave] Vista speach recognition

Sebastian Krahmer krahmer at suse.de
Wed Jan 31 03:41:02 EST 2007 

On Tue, 30 Jan 2007, George Ou wrote:

Nice thing then. :-)
What was the award for the first vista remote? ;-))

l8er,
Sebastian

> It won't bypass UAC and it won't let you have the command prompt control.
> You can open the command prompt but it won't actually run commands.
> However, you can wake an idle speech system, interact with the desktop,
> delete user files, and do all this without user interaction or ever
> triggering UAC or Secure Desktop.  That sounds like a serious remote exploit
> to me.  There are mitigating factors of course, but it's still pretty
> serious.  I figured this was too obvious to be an exploit, but I figured
> wrong.
>  
>  
> George
> 
>   _____  
> 
> From: Rich Mogull [mailto:rmogull-dd at securosis.com] 
> Sent: Tuesday, January 30, 2007 5:06 PM
> To: George Ou
> Cc: 'Dave Aitel'; dailydave at lists.immunitysec.com
> Subject: Re: [Dailydave] Vista speach recognition
> 
> 
> I just tested this on Vista and it works. 
> 
> Running Vista Ultimate in Parallels on my Mac I enabled voice commands, then
> recorded a simple command and played it back. Using the mic and speakers on
> my Mac the commands executed. Sound quality was actually terrible because of
> poor Vista performance in the VM.
> 
> But UAC seems to stop it. At the suggestion of Dave Maynor I tried to create
> a new user account. The usual UAC window popped up and no voice commands
> seemed to work.
> 
> I suspect anything that avoids the "final" (greyed out background) UAC
> dialogs will work, but looks like UAC stops it. At least in my quick test...
> 
> -rich
> 
> 
> On Jan 30, 2007, at 2:27 PM, George Ou wrote:
> 
> 
> Voice command is autoloaded if you calibrate the system and enable Voice
> commands. You can actually activate voice command mode by saying a certain
> phrase. If this exploit works, you could say that phrase first and then
> start your commands. Then you'd say "start", "cmd", "enter", then bark out
> the commands you want. This assumes it works and that no one near the PC
> gets suspicious :).
> 
> 
> George
> 
>   _____  
> 
> From: dailydave-bounces at lists.immunitysec.com
> [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave Aitel
> Sent: Tuesday, January 30, 2007 12:48 PM
> To: dailydave at lists.immunitysec.com
> Subject: Re: [Dailydave] Vista speach recognition
> 
> 
> That's a great idea! If the Microsoft people have thought of it, no doubt
> they ignore any sound coming out of the speakers, so you'll have to rely on
> an echo effect. Essentially you can always win if your model of the acoustic
> properties of the room is better than Vistas. :> Many speech recognition
> systems I've seen require the user to press a button first, of course. :> I
> haven't tested Vista's. I have, however, gotten CANVAS working on Vista. (
> http://www.immunityinc.com/images/CANVAS_on_Vista.png). So far I recommend
> it over Windows XP SP2 because I think they removed that broken limitation
> from the TCP stack where you could only make 5 connections at once. 
> 
> Also, here is an article about Evgeny! ok. Not entirely about Evgeny. Mostly
> about people buying bugs. For someone who's wife is a lawyer in this field,
> there's a lot of "apparently legal" talk in it. It's just plain legal!
> Everybody deal. 
> http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1
> <http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1&_r=1>
> &_r=1 
> 
> -dave
> 
> 
> On 1/30/07, Sebastian Krahmer <krahmer at suse.de  <mailto:krahmer at suse.de> >
> wrote: 
> 
> 
> Hi,
> 
> I am in no way an Win expert but recently I read that
> vista will support commands as they are spoken by the user.
> What about websites where the browser is playing wav or similar
> audio files upon visiting? what if they contain spoken
> commands? An exploit audio file which speaks something like 
> 'open shell' would be cool, eh?
> 
> Sebastian
> 
> 
> --
> ~
> ~ perl self.pl
> ~ $_='print"\$_=\47$_\47;eval"';eval
> ~ krahmer at suse.de - SuSE Security Team 
> ~
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> 
> 
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> 
> 
> 

-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.de - SuSE Security Team
~

More information about the Dailydave mailing list