RE: FAX a virus

["Craig Wright" <cwright () bdosyd com au>]

Hello,

Attached is a small piece of code designed to write memory without freeing that memory - a situation that will 
eventually cause a memory overrun and crash as I am not freeing the buffer.

int main(int argc, char **argv)

{ char * MemorytLeak = new char[32];

MemorytLeak [0] = 'B';

printf("%cn", MemorytLeak [0]);

}

You have recieved this as an email. It may be in text form or processed. I can however state that not a single person 
receiving this e-mail will resultantly have a system crash due to receiving this code. If I was to write it into a 
script and send the e-mail as HTML, I could still say the same.

Writing text in itself is not an attack. To make this into an attack, I have to do more than just sending it. Stating 
that it is possible to inject script is not a function of a fax or an OCR engine. I could categorically compile or 
otherwise run all code and script received a fax machine. I could meticulously ensure that no errors occurred and that 
the code was correct load it into some application that will run it and state that I have been attacked.

This however is not an attack through fax or OCR for that matter. In the above-mentioned situation the attack occurs 
not because I have received code, but rather as I have decided to run code or script on my system.

Regards,

Craig

PS

I reiterate, F.U.D.




________________________________

From: listbounce () securityfocus com on behalf of Robert Wesley McGrew
Sent: Sat 3/03/2007 4:24 AM
To: security-basics () securityfocus com
Subject: Re: FAX a virus



In this specific scenario, the threat is extraordinarily low.  However
this is an interesting area, as it's getting into the same ballpark as
the processing of printed documentation (the fax is essentially a
bitmapped representation of the original document and will be
processed in much the same way as a scanned document).  I wouldn't
worry so much about malicious code embedded within the document, but
depending on how the document itself is processed and used, it can
serve as an interesting attack vector.

I was trying to remember where I'd heard of it before, and I came
across this link while googling:

http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1234051,00.html

...so I am probably remembering the idea from Ed Skoudis' SANS class.
In essence, with documents being OCR'd and then the contents processed
in some way (say, a magazine's subscription system processing those
little subscription cards automatically) then it's just another point
of user input, and a really fascinating way of attacking!  It's
tempting to start filling the fields of those cards out with <img
src=''> web bugs just to see what happens ;).

So yes, there may be cases where carefully printing nice and legible
SQL injection or XSS strings might be useful!

The moral is that in addition focusing on specific, conventional
threats, one needs to take a look at the data, how it is processed at
different points, and how that processing can be subverted.

--
Robert Wesley McGrew
http://mcgrewsecurity.com

On 3/1/07, Scott Ramsdell <Scott.Ramsdell () cellnet com> wrote:
> Alcides,
>
> Others on this list, and especially on the Pen Test list, can speak much
> more suitably than I can on this issue, but I will contribute the
> following.
>
> This depends entirely on how the input to the "document processing
> system" is sanitized.  If the document processing system blindly accepts
> user input as valid, then you potentially have an issue.
>
> If the document processing system runs as a service on your Windows
> boxes, check to ensure that it launches with an account that does not
> have System or Admin rights on the box.
>
> Kind Regards,
> Scott Ramsdell
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Alcides
> Sent: Wednesday, February 28, 2007 10:37 PM
> To: security-basics () securityfocus com
> Subject: FAX a virus
>
> Hi lists,
> My FAX server allows me to receive faxes from my clients from Internet.
> My clients send me some documents using their built-in Fax Printer on
> their PC. My fax server routes the stuff to the document processing
> applications. The document processing system extracts various data
> fields from received portable document format files.
> The whole scenario is windows environment and let's assume that virus
> protection is temporarily off.
>
> Now, I have a query:
> Can anyone send a fax that includes a file infected with the virus/ worm
>
> operates as a VBS script embedded within a PDF/TIF file to cause
> infections to my computers/ to affect my FAX system?
> What about other possibilities of "the bad guys" using some joiner (or
> wrapper as some say) to bind malware (trojan server etc) with the pdf/
> TIF files and fax it to me?
> I would be very greatful to know what are the various possibilities.
>
> Warm regards,
> Alcides.
>
> ------------------------------------------------------------------------
> ---
> This list is sponsored by: BigFix
>
> If your IT fails, you're out of business - or worse.  Arm your
> enterprise with BigFix, the single converged IT security and operations
> engine. BigFix enables continuous discovery, assessment, remediation,
> and enforcement for complex and distributed IT environments in real-time
>
> from a single console.
> Think what's next. Think BigFix.
>
> http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/
> ITNext/
> ------------------------------------------------------------------------
> ---
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: BigFix
>
> If your IT fails, you're out of business - or worse.  Arm your
> enterprise with BigFix, the single converged IT security and operations
> engine. BigFix enables continuous discovery, assessment, remediation,
> and enforcement for complex and distributed IT environments in real-time
> from a single console.
> Think what's next. Think BigFix.
>
> http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
> ---------------------------------------------------------------------------



Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.