funsec mailing list archives
Re: Desktop search: A new attack vector for malware?
From: Jordan Wiens <numatrix () ufl edu>
Date: Wed, 13 Jun 2007 10:39:44 -0400
Don't know about the idea of the engine itself as directly vulnerable, but there's a number of similar issues it presents.
First, any cross-site scripting vulnerability in google.com can be combined to attack someone with google desktop installed:
http://download.watchfire.com/whitepapers/Overtaking-Google-Desktop.pdf
(incidentally, Jesse Ruderman first pointed this out three years ago)
http://www.squarefree.com/2004/10/22/my-impressions-of-google-
desktop-search/
I don't remember the exact details of the fix offhand, but I think there was some discussion that it might still be worked around, though I could be wrong. This particular avenue for attack was due to the fact that google desktop would trust results coming back from google.com.
Second, any vulnerability in the OS or parsing libraries used by the drive indexing service might be leveraged indirectly as was the case with the WMF vuln:
http://www.f-secure.com/weblog/archives/archive-122005.html#00000753Third, there's always the auto-update vector that applies more broadly to many other programs too, but Google Desktop is specifically vulnerable to:
http://ha.ckers.org/blog/20070531/google-desktop-0day/The first and third directly apply to google desktop and may or may not apply to other tools, the second issue is very similar to the scenario you present, just with a utilized library or call instead of the engine itself.
-- Jordan Wiens, CISSP UF Network Security Engineer (352)392-2061 On Jun 13, 2007, at 9:04 AM, Richard M. Smith wrote:
Hi,Has any company looked into the issue of desktop search programs being an attack vector for malware? I'm wondering if a booby-trapped document file can be placed on a system that will cause a buffer error in a desktop search bot. The buffer overflow can then be used to install and run malware. Sucha file can be delivered as an attached file to an email message or downloaded on the sly to a browser cache.Also can a desktop search bot be DoSed by having it index an exploding .ZIP which is modest in size but contains many terrabytes of document files?Richard _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Desktop search: A new attack vector for malware? Richard M. Smith (Jun 13)
- RE: Desktop search: A new attack vector for malware? Larry Seltzer (Jun 13)
- Re: Desktop search: A new attack vector for malware? Jordan Wiens (Jun 13)