Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15954
HistoryFeb 03, 2007 - 12:00 a.m.

[Dailydave] Vista speach recognition

2007-02-0300:00:00
vulners.com
9

I ran some more tests and here is a very realistic scenario.

  1. Website says "start listening" to toggle an idle speech system in Vista
    to listening mode.
  2. Website says "start", "windows explorer"
  3. Website says "downloads", "documents", 3, OK, to toggle to downloads
    then back to documents and highlights the documents folder.
  4. Website says "delete", "yes".
  5. Website says "show desktop", "recycle bin", "empty", "yes".

I tested this scenario and it works. Yes you need to actually catch the
user off-guard and they would have had to turn on speech recognition at some
point which then autoloads speech in Vista from that point on. This does
not require user interaction other than clicking on a URL to visit a website
and this does not trigger UAC security warnings. Websites routinely run
audio without requiring user interaction, just check out all those anoying
MySpace websites. It just zaps any folder the website wants to zap.

What surprised me was that the audio playback level did not need to be that
high and it was able to wake a sleeping speech command system.

I believe it's also possible to start IE7 and download a custom payload,
then be able to run that payload without triggering UAC and the payload
could encrypt user files for ransom without triggering UAC. Then it's
possible to open notepad and type in a message stating "I want $xxxx sent
here if you ever want to see your files in clear text again". All this
without triggering UAC or Secure Desktop in Vista. Note that I have not
tested this scenario.

George