Re: Vista speach recognition

["George Ou" <george_ou () lanarchitect net>]

Yes, it does work with untrained voices.  It's less accurate but works. 

-----Original Message-----
From: Sebastian Krahmer [mailto:krahmer () suse de] 
Sent: Wednesday, January 31, 2007 5:33 AM
To: Ross Brown
Cc: george_ou () lanarchitect net; rmogull-dd () securosis com;
dailydave () lists immunitysec com
Subject: Re: [Dailydave] Vista speach recognition

On Tue, 30 Jan 2007, Ross Brown wrote:

BTW, I have just been asked whether this works with un-trained voices as
well. It looks like there are better results if the PC "knows" the voice of
his master. Will it work with sorta robot-like voices, something the recog
software did not hear before?

Sebastian

> It would seem to me that you could use this to do some things that
overcome other security features, like using the speech flaw to open an
Instant Message or Skype session to create an outbound connection to a
remote user, defeating some firewall protections.
> Why they didn't just go ahead and figure "doh, these OS/X guys prolly did
this for a reason is beyond me.
> RB
>
> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com
> To: 'Rich Mogull'
> CC: dailydave () lists immunitysec com
> Sent: Tue Jan 30 17:09:51 2007
> Subject: Re: [Dailydave] Vista speach recognition
>
> It won't bypass UAC and it won't let you have the command prompt control.
You can open the command prompt but it won't actually run commands.
However, you can wake an idle speech system, interact with the desktop,
delete user files, and do all this without user interaction or ever
triggering UAC or Secure Desktop.  That sounds like a serious remote exploit
to me.  There are mitigating factors of course, but it's still pretty
serious.  I figured this was too obvious to be an exploit, but I figured
wrong.
>  
>  
> George
>
> ________________________________
>
> From: Rich Mogull [mailto:rmogull-dd () securosis com]
> Sent: Tuesday, January 30, 2007 5:06 PM
> To: George Ou
> Cc: 'Dave Aitel'; dailydave () lists immunitysec com
> Subject: Re: [Dailydave] Vista speach recognition
>
>
> I just tested this on Vista and it works. 
>
> Running Vista Ultimate in Parallels on my Mac I enabled voice commands,
then recorded a simple command and played it back. Using the mic and
speakers on my Mac the commands executed. Sound quality was actually
terrible because of poor Vista performance in the VM.
> But UAC seems to stop it. At the suggestion of Dave Maynor I tried to
create a new user account. The usual UAC window popped up and no voice
commands seemed to work.
> I suspect anything that avoids the "final" (greyed out background) UAC
dialogs will work, but looks like UAC stops it. At least in my quick test...
> -rich
>
>
> On Jan 30, 2007, at 2:27 PM, George Ou wrote:
>
>
>       Voice command is autoloaded if you calibrate the system and enable
Voice commands. You can actually activate voice command mode by saying a
certain phrase. If this exploit works, you could say that phrase first and
then start your commands. Then you'd say "start", "cmd", "enter", then bark
out the commands you want. This assumes it works and that no one near the PC
gets suspicious :).
>                       George
>
> ________________________________
>
>       From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave Aitel
>       Sent: Tuesday, January 30, 2007 12:48 PM
>       To: dailydave () lists immunitysec com
>       Subject: Re: [Dailydave] Vista speach recognition
>       
>       
>       That's a great idea! If the Microsoft people have thought of it, no
doubt they ignore any sound coming out of the speakers, so you'll have to
rely on an echo effect. Essentially you can always win if your model of the
acoustic properties of the room is better than Vistas. :> Many speech
recognition systems I've seen require the user to press a button first, of
course. :> I haven't tested Vista's. I have, however, gotten CANVAS working
on Vista. ( http://www.immunityinc.com/images/CANVAS_on_Vista.png). So far I
recommend it over Windows XP SP2 because I think they removed that broken
limitation from the TCP stack where you could only make 5 connections at
once. 
>       
>       Also, here is an article about Evgeny! ok. Not entirely about
Evgeny. Mostly about people buying bugs. For someone who's wife is a lawyer
in this field, there's a lot of "apparently legal" talk in it. It's just
plain legal! Everybody deal. 
>       
> http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1&;
> _r=1 
> <http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1
> &_r=1>
>       
>       -dave
>       
>       
>       On 1/30/07, Sebastian Krahmer <krahmer () suse de > wrote: 
>
>
>               Hi,
>               
>               I am in no way an Win expert but recently I read that
>               vista will support commands as they are spoken by the user.
>               What about websites where the browser is playing wav or
similar
>               audio files upon visiting? what if they contain spoken
>               commands? An exploit audio file which speaks something like 
>               'open shell' would be cool, eh?
>               
>               Sebastian
>               
>               
>               --
>               ~
>               ~ perl self.pl
>               ~ $_='print"\$_=\47$_\47;eval"';eval
>               ~ krahmer () suse de - SuSE Security Team 
>               ~
>               
>               _______________________________________________
>               Dailydave mailing list
>               Dailydave () lists immunitysec com
>               http://lists.immunitysec.com/mailman/listinfo/dailydave
>               
>
>
>       _______________________________________________
>       Dailydave mailing list
>       Dailydave () lists immunitysec com
>       http://lists.immunitysec.com/mailman/listinfo/dailydave

--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team
~


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave