RE: FAX virus

From: Ramsdell, Scott (Scott.Ramsdell@cellnethunt.com)
Date: Mon Nov 19 2007 - 13:46:51 EST

• Next message: Erin Carroll: "RE: Oracle SQL Injection vulnerability"
• Previous message: Joxean Koret: "Re: Oracle SQL Injection vulnerability"
• In reply to: cwright@bdosyd.com.au: "Re: FAX virus"
• Next in thread: M.B.Jr.: "Re: FAX virus"
• Reply: M.B.Jr.: "Re: FAX virus"
• Reply: Steve Friedl: "Re: FAX virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Craig,

I find your statement suggesting you "have thought of an alternate path
to loading a virus" to be disingenuous.

The following is my reply to you on 03.05.07 regarding a question posed
by the security basics list member Alcides, who was asking if his OCR
software process running on a Windows box, which happened to process
faxes, was a concern.

"From what Alcides says, he has a fax server (this will convert from
analog to digital, BTW) and he has a process running on a Windows box
that accepts input from the fax server.

I merely cautioned him about properly sanitizing the input from the fax
server to the Windows service! Very valid concern."

This was my original reply to Alcides "Others on this list, and
especially on the Pen Test list, can speak much more suitably than I can
on this issue, but I will contribute the following.

This depends entirely on how the input to the "document processing
system" is sanitized. If the document processing system blindly accepts
user input as valid, then you potentially have an issue.

If the document processing system runs as a service on your Windows
boxes, check to ensure that it launches with an account that does not
have System or Admin rights on the box."

So, eight months ago, the security basics mailing list discussed this
(before it boiled over to the pentest list), while you initiated a
tirade concerning the impracticality of faxing a virus (which was not at
all the point).

I question your motivation for discussing your "thought" eight months
after I and others suggested the existence of a concern in not
sanitizing OCR input to a Windows service, and for releasing your
"thought" on a completely different list than the one Alcides originally
posted on.

Kind Regards,

Scott Ramsdell
CISSP CCNA MSCE

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of cwright@bdosyd.com.au
Sent: Sunday, November 18, 2007 1:55 AM
To: pen-test@securityfocus.com
Subject: Re: FAX virus

I have though about this for a while following some of the earlier
posts.

Faxing a virus is out of the question and I have not seen anything to
state the contrary. I have thought of an alternate path to loading a
virus bases on a network OCR'd fax server. In the scenario, we have to
assume that the system is sending the output to a web front end or HTTP
enabled email (not that uncommon).

There are a few assumptions that I will place first.

 - The system has no input filters and prints all characters to the
email, web app.
 - The OCR engine is highly accurate and does not add spaces etc.
 - The email or web app displays exactly what it received

Now given that scenario, we have a possible XSS (cross-site-scripting)
attack.

If there are no filters for an outgoing connection (i.e. no
firewall/proxy that strips scripts) and the client browser/email
application allows access to the Internet, the attacker could create a
script in the page that makes a call to an external system to download a
file.

In a simple scenario, an AV server on the proxy level should get this.

However, a script could also embed a simple XOR obfuscation key to
modify the downloaded code. On the web server it would be inert. When
XOR'd with the key in the script (after being downloaded and installed),
this will thus bypass the AV server (if there is one) and install the
malware on the users system.

So the faxing of the virus is still out of the equation, but it does
allow an infection (or other attack) vector.

Regards,
Dr Craig Wright (GSE-Compliance)

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Erin Carroll: "RE: Oracle SQL Injection vulnerability"
• Previous message: Joxean Koret: "Re: Oracle SQL Injection vulnerability"
• In reply to: cwright@bdosyd.com.au: "Re: FAX virus"
• Next in thread: M.B.Jr.: "Re: FAX virus"
• Reply: M.B.Jr.: "Re: FAX virus"
• Reply: Steve Friedl: "Re: FAX virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:13 EDT