Penetration Testing mailing list archives

Re: FAX virus

From: Alcides <alcides.hercules () gmail com>
Date: Wed, 21 Nov 2007 18:42:54 +0530

Hi List,

Kindly find the original security-basics post below. Many people triedto help with their precious opinions and technical aspects.

This thread was closed by moderator of security basics list becauseseveral reasons.http://seclists.org/basics/2007/Mar/0075.html<http://seclists.org/basics/2007/Mar/0000.html>This matter has now an additional aspect and a reason to reopen thisthread here.


Zero day PDF exploit for Adobe Acrobat is in the wild for sometime, poc is also available.

So, do we need to rethink about what bad guys can do to my windows box. Which is acting as FAX server with some software of 
"make-my-computer-a-fax-machine" type.
Kindly discuss about the various attack vectors, and ways to safeguard against the same.

Thanks and regards,
Alcides

From: Alcides <alcides.hercules_at_gmail.com<mailto:alcides.hercules_at_gmail.com?Subject=Re:%20FAX%20a%20virus>>

Date: Thu, 01 Mar 2007 10:07:19 +0530

Hi lists,
My FAX server allows me to receive faxes from my clients from Internet.
My clients send me some documents using their built-in Fax Printer on
their PC. My fax server routes the stuff to the document processing
applications. The document processing system extracts various data
fields from received portable document format files.
The whole scenario is windows environment and let's assume that virus
protection is temporarily off.

Now, I have a query:
Can anyone send a fax that includes a file infected with the virus/ worm
operates as a VBS script embedded within a PDF/TIF file to cause
infections to my computers/ to affect my FAX system?
What about other possibilities of "the bad guys" using some joiner (or
wrapper as some say) to bind malware (trojan server etc) with the pdf/
TIF files and fax it to me?
I would be very greatful to know what are the various possibilities.

Warm regards,
Alcides.

---------------------------------------------------------------------------



cwright () bdosyd com au wrote:

Scott,

The question was originally posed as “Can anyone send a fax that includes a file infected with the virus/ worm” (Wed, 
07 Mar)

My concern was not with sanitisation as you are trying to suggest. It is with the idea that a buffer overflow is the attack vector. That for instance a virus / worm could be embedded. This is a suggestion that I remain in disbelief of.

What I suggested is an alternative. Rather then sending  a virus/worm, send a XSS attack and rely on the users in the 
organisation to exploit this.

If this is sent in a PDF, it is going to display as the scripted entry. So a conversion to an attached PDF is still not 
going to work as what is displayed is what is on the page. It will need to be sent directly to a web enabled email or 
web server.

So it is not that I am suggesting an attack against the document processor, but rather extending this by adding user 
interaction. It is thus the user who extends this through reading email with the link or opening a page. In this case 
the site would still also have a simpler attack against the user in any instance.

I also believe that you suggested “If you allow the asterisk and parenthesis through, you run the risk of allowing SQL injection passed to your service.” The idea you stated other then a buffer overflow was a SQL injection. Neither of these are valid. You failed to consider XSS and having user involvement at the time. I did not think of this either. If you had suggested this I would have conceded that as an attack vector has I now have.

The suggestion that an embedded buffer overflow or binary attack against the fax server is still out of the question.

You for example stated:

“The communication is one-way as Craig so eloquently pointed out.  But what if the command is to drop a database?  In that 
case there was never any intention of receiving data back, it's a malicious vandalism of your database.”

Again, this is not a valid path or attack vector Scott. You are attempting to add too much complexity. So consider a 
XSS as a simplification of your idea. By over complicating the idea to send SQL commands to an unknown database or 
worse embed a buffer overflow (which I am still wondering how you could even propose as I see no way to fax a NOP sled) 
you take the thesis to a level where it may not be supported.

Regards,

Dr Craig Wright


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Re: FAX virus cwright (Nov 18)
- RE: FAX virus Ramsdell, Scott (Nov 19)
  - Re: FAX virus M.B.Jr. (Nov 24)
  - Re: FAX virus Steve Friedl (Nov 27)
- RE: FAX virus THORNTON Simon (Nov 24)
  - Re: FAX virus M.B.Jr. (Nov 26)
- <Possible follow-ups>
- Re: RE: FAX virus cwright (Nov 19)
  - Re: FAX virus Alcides (Nov 24)