Dailydave mailing list archives
Re: [RGSPAM] Re: Vista speach recognition
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 31 Jan 2007 10:16:07 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How about "watermarking" the audio? Mix some ephemeral digital modulation into the speaker output that can be tied to the host computer's attributes (so it's unaffected by the user's data) which can then be detected by the mic and ignored 100% of the time. If the computers are together in a room you could have some sort of resolution protocol so that the machines could ask each other for their current watermarks (or query the AD server) so that you wouldn't have the "kitchen scenario" necessarily work. Overhead of implementing this might be a PITA but it's a fun thought experiment. -Marty On Jan 31, 2007, at 12:34 AM, Robert Graham wrote:
There are some easy defenses. Echo-cancelation software is pretty straightforward. It would be straightforward to remove anything coming out of the speakers from being picked up by the microphone. Unfortunately, it would also be CPU intensive. Unfortunately, more and more households have multiple computer, so while the echo-cancelation computer wouldn't get hit, another computer in the room or down the hall might. The Logitech microphone on my desktop has a lighted-button that shows when the microphone is on/off. That's one simple defense. --- George Ou <george_ou () lanarchitect net> wrote:It won't bypass UAC and it won't let you have the command prompt control. You can open the command prompt but it won't actually run commands. However, you can wake an idle speech system, interact with the desktop, delete user files, and do all this without user interaction or ever triggering UAC or Secure Desktop. That sounds like a serious remote exploit to me. There are mitigating factors of course, but it's still pretty serious. I figured this was too obvious to be an exploit, but I figured wrong. George _____ From: Rich Mogull [mailto:rmogull-dd () securosis com] Sent: Tuesday, January 30, 2007 5:06 PM To: George Ou Cc: 'Dave Aitel'; dailydave () lists immunitysec com Subject: Re: [Dailydave] Vista speach recognition I just tested this on Vista and it works. Running Vista Ultimate in Parallels on my Mac I enabled voice commands, then recorded a simple command and played it back. Using the mic and speakers on my Mac the commands executed. Sound quality was actually terrible because of poor Vista performance in the VM. But UAC seems to stop it. At the suggestion of Dave Maynor I tried to create a new user account. The usual UAC window popped up and no voice commands seemed to work. I suspect anything that avoids the "final" (greyed out background) UAC dialogs will work, but looks like UAC stops it. At least in my quick test... -rich On Jan 30, 2007, at 2:27 PM, George Ou wrote: Voice command is autoloaded if you calibrate the system and enable Voice commands. You can actually activate voice command mode by saying a certain phrase. If this exploit works, you could say that phrase first and then start your commands. Then you'd say "start", "cmd", "enter", then bark out the commands you want. This assumes it works and that no one near the PC gets suspicious :). George _____ From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave Aitel Sent: Tuesday, January 30, 2007 12:48 PM To: dailydave () lists immunitysec com Subject: Re: [Dailydave] Vista speach recognition That's a great idea! If the Microsoft people have thought of it, no doubt they ignore any sound coming out of the speakers, so you'll have to rely on an echo effect. Essentially you can always win if your model of the acoustic properties of the room is better than Vistas. :> Many speech recognition systems I've seen require the user to press a button first, of course. :> I haven't tested Vista's. I have, however, gotten CANVAS working on Vista. ( http://www.immunityinc.com/images/CANVAS_on_Vista.png). So far I recommend it over Windows XP SP2 because I think they removed that broken limitation from the TCP stack where you could only make 5 connections at once. Also, here is an article about Evgeny! ok. Not entirely about Evgeny. Mostly about people buying bugs. For someone who's wife is a lawyer in this field, there's a lot of "apparently legal" talk in it. It's just plain legal! Everybody deal. http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1 <http://www.nytimes.com/2007/01/30/technology/30bugs.html? pagewanted=1&_r=1> &_r=1 -dave On 1/30/07, Sebastian Krahmer <krahmer () suse de <mailto:krahmer () suse de> > wrote: Hi, I am in no way an Win expert but recently I read that vista will support commands as they are spoken by the user. What about websites where the browser is playing wav or similar audio files upon visiting? what if they contain spoken commands? An exploit audio file which speaks something like 'open shell' would be cool, eh? Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team ~ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave_______________________________________________Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave______________________________________________________________________ ______________ Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
- -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFwLK4qj0FAQQ3KOARAh4gAJ9ecbJYATUBnRK+wV9sq05DPIS2MgCeP8IJ i1bv479R521tDS4Mz02K0AI= =/eif -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vista speach recognition, (continued)
- Re: Vista speach recognition Rich Mogull (Jan 30)
- Re: Vista speach recognition George Ou (Jan 30)
- Re: Vista speach recognition Robert Graham (Jan 31)
- Re: Vista speach recognition George Ou (Jan 31)
- Re: Vista speach recognition Clemens, Dan (Jan 31)
- Re: Vista speach recognition dan (Jan 31)
- Not the dead "Vista speach recognition" thread (: I)ruid (Feb 06)
- Re: Vista speach recognition Dafydd Stuttard (Jan 31)
- Re: Vista speach recognition jf (Jan 31)
- Re: Vista speach recognition Thierry Zoller (Jan 31)
- Re: [RGSPAM] Re: Vista speach recognition Martin Roesch (Jan 31)
- Re: [RGSPAM] Re: Vista speach recognition christian void (Jan 31)
- Re: Vista speach recognition Sebastian Krahmer (Jan 31)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Vista speach recognition George Ou (Jan 31)
- Re: Vista speach recognition dan (Jan 31)
- Re: Vista speach recognition Curt Wilson (Jan 31)
- Re: Vista speach recognition dan (Jan 31)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Vista speach recognition George Ou (Jan 31)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Vista speach recognition George Ou (Jan 31)
- Message not available
- Re: Vista speach recognition George Ou (Feb 01)
- Re: Vista speach recognition Sebastian Krahmer (Feb 01)