From: M.B.Jr. (marcio.barbado@gmail.com)
Date: Tue Nov 20 2007 - 13:34:22 EST
There's this interesting point Craig raised, though:
crafted empirical information being processed by transducers + A/D
converters in such a way to explore vulns.
That could be sth;
for example,
maybe some light intensity derivative in time (with appropriate
wavelenght/frequency values) could lead a motion-detection-powered
surveillance server to some sort of DoS.
That is,
Signal Processing functions' analysis applied to Information Security.
Can you imagine a Fourier-transform-enhanced malicious code?
LOL
On 11/19/07, Ramsdell, Scott <Scott.Ramsdell@cellnethunt.com> wrote:
> Craig,
>
> I find your statement suggesting you "have thought of an alternate path
> to loading a virus" to be disingenuous.
>
> The following is my reply to you on 03.05.07 regarding a question posed
> by the security basics list member Alcides, who was asking if his OCR
> software process running on a Windows box, which happened to process
> faxes, was a concern.
>
> "From what Alcides says, he has a fax server (this will convert from
> analog to digital, BTW) and he has a process running on a Windows box
> that accepts input from the fax server.
>
> I merely cautioned him about properly sanitizing the input from the fax
> server to the Windows service! Very valid concern."
>
> This was my original reply to Alcides "Others on this list, and
> especially on the Pen Test list, can speak much more suitably than I can
> on this issue, but I will contribute the following.
>
> This depends entirely on how the input to the "document processing
> system" is sanitized. If the document processing system blindly accepts
> user input as valid, then you potentially have an issue.
>
> If the document processing system runs as a service on your Windows
> boxes, check to ensure that it launches with an account that does not
> have System or Admin rights on the box."
>
> So, eight months ago, the security basics mailing list discussed this
> (before it boiled over to the pentest list), while you initiated a
> tirade concerning the impracticality of faxing a virus (which was not at
> all the point).
>
> I question your motivation for discussing your "thought" eight months
> after I and others suggested the existence of a concern in not
> sanitizing OCR input to a Windows service, and for releasing your
> "thought" on a completely different list than the one Alcides originally
> posted on.
>
> Kind Regards,
>
> Scott Ramsdell
> CISSP CCNA MSCE
>
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of cwright@bdosyd.com.au
> Sent: Sunday, November 18, 2007 1:55 AM
> To: pen-test@securityfocus.com
> Subject: Re: FAX virus
>
> I have though about this for a while following some of the earlier
> posts.
>
> Faxing a virus is out of the question and I have not seen anything to
> state the contrary. I have thought of an alternate path to loading a
> virus bases on a network OCR'd fax server. In the scenario, we have to
> assume that the system is sending the output to a web front end or HTTP
> enabled email (not that uncommon).
>
> There are a few assumptions that I will place first.
>
> - The system has no input filters and prints all characters to the
> email, web app.
> - The OCR engine is highly accurate and does not add spaces etc.
> - The email or web app displays exactly what it received
>
> Now given that scenario, we have a possible XSS (cross-site-scripting)
> attack.
>
> If there are no filters for an outgoing connection (i.e. no
> firewall/proxy that strips scripts) and the client browser/email
> application allows access to the Internet, the attacker could create a
> script in the page that makes a call to an external system to download a
> file.
>
> In a simple scenario, an AV server on the proxy level should get this.
>
> However, a script could also embed a simple XOR obfuscation key to
> modify the downloaded code. On the web server it would be inert. When
> XOR'd with the key in the script (after being downloaded and installed),
> this will thus bypass the AV server (if there is one) and install the
> malware on the users system.
>
> So the faxing of the virus is still out of the equation, but it does
> allow an infection (or other attack) vector.
>
> Regards,
> Dr Craig Wright (GSE-Compliance)
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
-- Marcio Barbado, Jr. "In fact, companies that innovate on top of open standards are advantaged because resources are freed up for higher-value work and because market opportunities expand as the standards proliferate." Scott Handy Vice President Worldwide Linux and Open Source, IBM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:13 EDT