Wednesday, January 31, 2007

First Vista remote exploit?

Yesterday I had the idea to use Vista's speech recognition
system for remote exploiting. By embedding commands
into a soundfile offered by an evil website or into
all these Web 2.0 videos, remote attackers might be able
to execute commands on a Vista system while they
are spoken upon viewing.
The idea has little chance to succeed I thought. I posted
to Daily Dave's mailinglist and
George Ou made some samples and it seemed to work.
Read the full thread here:

There are some constraints but basically it seems that
it is possible to delete files or to start certain
applications remotely.

I could not verify the results by myself since I lack a license.

It has now been confirmed by various people that the speech recognition
software seems to miss echo cancellation. While it is "easy" to implement
with applications like skype or messenger I do not know how easy it is
within the OS. Remember that the out-path is via the web-browser
(no idea whether the audio-I/O architecture allows access by the recognition
software) which
does not belong to the speech recognition system. From that point of view,
the OS would need to implement a global echo cancellation, a few layers below
the browser/recognition layer. This would make such systems within messenger
or skype obsolete.

It has been confirmed that this also works with untrained voices. Not as good
as with trained ones, but it works. Downloading and executing of user-level
binaries which do not trigger UAC has also been confirmed to work.

No comments: