[Dailydave] Vista speach recognition

Dafydd Stuttard daf at ngssoftware.com
Wed Jan 31 11:14:28 EST 2007 

A (somewhat far-fetched) mechanism for worm propagation...

If a compromised host has an analogue modem attached, it could dial random
phone numbers and play recorded commands down the line when answered. Fax
machines and other modems will often play the initial part of the call
aloud, as would anyone answering on a speakerphone.

Cheers
Daf

> -----Original Message-----
> From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-
> bounces at lists.immunitysec.com] On Behalf Of Clemens, Dan
> Sent: 31 January 2007 14:00
> To: dailydave at lists.immunitysec.com
> Subject: Re: [Dailydave] Vista speach recognition
> 
> 
> 
> I can see it now. www.nad.org is defaced by someone saying 'echo
> commands' .
> 
> "Ev1l script k1d13s have 0wn3d all your bas3, hear our roar!"
> 
> La Times reports NAD.org administers say "we never heard it comin... And
> then we got hit"....
> 
> -Daniel
> 
> 
> 
> -----Original Message-----
> From: dailydave-bounces at lists.immunitysec.com
> [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of George Ou
> Sent: Wednesday, January 31, 2007 2:22 AM
> To: 'Robert Graham'; 'Rich Mogull'
> Cc: dailydave at lists.immunitysec.com
> Subject: Re: [Dailydave] Vista speach recognition
> 
> I don't see how it should be so computationally expensive.  Polycom does
> their echo cancellation in software for their communicator product and
> it doesn't cost a whole lot of CPU even on a low-end machine.  Microsoft
> Windows Messenger does superb echo cancellation (much better than Skype
> though they need to get a clue on firewall friendliness) when you're
> using speakers and even a cheap desktop standing microphone and it
> didn't cost a lot of CPU in the one gigahertz era.
> 
> There's just no reason that what comes out of a computer should be
> processed back in by a speech recognition system EVEN if they
> implemented some sort of password you have to speak.  But they haven't
> even implemented a password and you can just playback "start listening"
> to wake the speech command engine.  The multiple computer scenario would
> be a little more difficult to defend against though it's a lot less
> likely.  Heck it could be a TV show that barks out a kill-all-documents
> sequence.  I guess one way to defeat that is to use the new multi-Mic
> technology in Vista to pin point a voice in space and require the voice
> to be coming from there.
> 
> I've already successfully tested a full scenario where I recorded and
> played back a file that:
> 
> 1.  Woke the speech command engine.
> 2.  Open Windows Explorer.
> 3.  Highlight documents.
> 4.  Delete documents and confirm yes.
> 5.  Go to recycle bin on desktop.
> 6.  Tell it to empty the trash and confirm yes.
> 
> All this without triggering UAC or requiring user interaction.  If you
> want a shorter sequence of commands as a gag; just say "start",
> "shutdown".  The only thing I didn't do is put that sound file on a
> website with auto-playback turned on and I know that technically
> trivial.
> 
> 
> 
> George
> 
> 
> -----Original Message-----
> From: Robert Graham [mailto:robert_david_graham at yahoo.com]
> Sent: Tuesday, January 30, 2007 9:34 PM
> To: George Ou; 'Rich Mogull'
> Cc: dailydave at lists.immunitysec.com
> Subject: Re: [Dailydave] Vista speach recognition
> 
> There are some easy defenses.
> 
> Echo-cancelation software is pretty straightforward. It would be
> straightforward to remove anything coming out of the speakers from being
> picked up by the microphone. Unfortunately, it would also be CPU
> intensive.
> 
> Unfortunately, more and more households have multiple computer, so while
> the echo-cancelation computer wouldn't get hit, another computer in the
> room or down the hall might.
> 
> The Logitech microphone on my desktop has a lighted-button that shows
> when the microphone is on/off. That's one simple defense.
> 
> 
> --- George Ou <george_ou at lanarchitect.net> wrote:
> 
> > It won't bypass UAC and it won't let you have the command prompt
> control.
> > You can open the command prompt but it won't actually run commands.
> > However, you can wake an idle speech system, interact with the
> > desktop, delete user files, and do all this without user interaction
> > or ever triggering UAC or Secure Desktop.  That sounds like a serious
> > remote exploit to me.  There are mitigating factors of course, but
> > it's still pretty serious.  I figured this was too obvious to be an
> > exploit, but I figured wrong.
> >
> >
> > George
> >
> >   _____
> >
> > From: Rich Mogull [mailto:rmogull-dd at securosis.com]
> > Sent: Tuesday, January 30, 2007 5:06 PM
> > To: George Ou
> > Cc: 'Dave Aitel'; dailydave at lists.immunitysec.com
> > Subject: Re: [Dailydave] Vista speach recognition
> >
> >
> > I just tested this on Vista and it works.
> >
> > Running Vista Ultimate in Parallels on my Mac I enabled voice
> > commands, then recorded a simple command and played it back. Using the
> 
> > mic and speakers on my Mac the commands executed. Sound quality was
> > actually terrible because of poor Vista performance in the VM.
> >
> > But UAC seems to stop it. At the suggestion of Dave Maynor I tried to
> > create a new user account. The usual UAC window popped up and no voice
> 
> > commands seemed to work.
> >
> > I suspect anything that avoids the "final" (greyed out background) UAC
> 
> > dialogs will work, but looks like UAC stops it. At least in my quick
> test...
> >
> > -rich
> >
> >
> > On Jan 30, 2007, at 2:27 PM, George Ou wrote:
> >
> >
> > Voice command is autoloaded if you calibrate the system and enable
> > Voice commands. You can actually activate voice command mode by saying
> 
> > a certain phrase. If this exploit works, you could say that phrase
> > first and then start your commands. Then you'd say "start", "cmd",
> > "enter", then bark out the commands you want. This assumes it works
> > and that no one near the PC gets suspicious :).
> >
> >
> > George
> >
> >   _____
> >
> > From: dailydave-bounces at lists.immunitysec.com
> > [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave
> > Aitel
> > Sent: Tuesday, January 30, 2007 12:48 PM
> > To: dailydave at lists.immunitysec.com
> > Subject: Re: [Dailydave] Vista speach recognition
> >
> >
> > That's a great idea! If the Microsoft people have thought of it, no
> > doubt they ignore any sound coming out of the speakers, so you'll have
> 
> > to rely on an echo effect. Essentially you can always win if your
> > model of the acoustic properties of the room is better than Vistas. :>
> 
> > Many speech recognition systems I've seen require the user to press a
> > button first, of course. :> I haven't tested Vista's. I have, however,
> 
> > gotten CANVAS working on Vista. (
> > http://www.immunityinc.com/images/CANVAS_on_Vista.png). So far I
> > recommend it over Windows XP SP2 because I think they removed that
> > broken
> limitation from the TCP stack where you could only make 5 connections at
> once.
> >
> > Also, here is an article about Evgeny! ok. Not entirely about Evgeny.
> > Mostly about people buying bugs. For someone who's wife is a lawyer in
> 
> > this field, there's a lot of "apparently legal" talk in it. It's just
> plain legal!
> > Everybody deal.
> > http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1
> > <http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1
> > &_r=1>
> > &_r=1
> >
> > -dave
> >
> >
> > On 1/30/07, Sebastian Krahmer <krahmer at suse.de
> > <mailto:krahmer at suse.de> >
> > wrote:
> >
> >
> > Hi,
> >
> > I am in no way an Win expert but recently I read that vista will
> > support commands as they are spoken by the user.
> > What about websites where the browser is playing wav or similar audio
> > files upon visiting? what if they contain spoken commands? An exploit
> > audio file which speaks something like 'open shell' would be cool, eh?
> >
> > Sebastian
> >
> >
> > --
> > ~
> > ~ perl self.pl
> > ~ $_='print"\$_=\47$_\47;eval"';eval
> > ~ krahmer at suse.de - SuSE Security Team ~
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
> >
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
> >
> > > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
> 
> 
> 
> 
> ________________________________________________________________________
> ____
> ________
> Want to start your own business?
> Learn how on Yahoo! Small Business.
> http://smallbusiness.yahoo.com/r-index
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> -----------------------------------------
> Confidentiality Notice: This e-mail communication and any
> attachments may contain confidential and privileged information for
> the use of the designated recipients named above. If you are not
> the intended recipient, you are hereby notified that you have
> received this communication in error and that any review,
> disclosure, dissemination, distribution or copying of it or its
> contents is prohibited. If you have received this communication in
> error, please notify me immediately by replying to this message and
> deleting it from your computer. Thank you.
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> 


--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402

More information about the Dailydave mailing list