Re: [funsec] Desktop search: A new attack vector for malware?

Wed, 13 Jun 2007 07:49:00 -0700

Don't know about the idea of the engine itself as directly vulnerable, but there's a number of similar issues it presents.
First, any cross-site scripting vulnerability in google.com can be combined to attack someone with google desktop installed: 
        http://download.watchfire.com/whitepapers/Overtaking-Google-Desktop.pdf
(incidentally, Jesse Ruderman first pointed this out three years ago)
http://www.squarefree.com/2004/10/22/my-impressions-of-google- desktop-search/ 


I don't remember the exact details of the fix offhand, but I think  
there was some discussion that it might still be worked around,  
though I could be wrong.  This particular avenue for attack was due  
to the fact that google desktop would trust results coming back from  
google.com.



Second, any vulnerability in the OS or parsing libraries used by the  
drive indexing service might be leveraged indirectly as was the case  
with the WMF vuln:


http://www.f-secure.com/weblog/archives/archive-122005.html#00000753


Third, there's always the auto-update vector that applies more  
broadly to many other programs too, but Google Desktop is  
specifically vulnerable to:


http://ha.ckers.org/blog/20070531/google-desktop-0day/


The first and third directly apply to google desktop and may or may  
not apply to other tools, the second issue is very similar to the  
scenario you present, just with a utilized library or call instead of  
the engine itself.


--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061

On Jun 13, 2007, at 9:04 AM, Richard M. Smith wrote:


Hi,


Has any company looked into the issue of desktop search programs  
being an
attack vector for malware?  I'm wondering if a booby-trapped  
document file
can be placed on a system that will cause a buffer error in a  
desktop search
bot.  The buffer overflow can then be used to install and run  
malware.  Such

a file can be delivered as an attached file to an email message or
downloaded on the sly to a browser cache.


Also can a desktop search bot be DoSed by having it index an  
exploding .ZIP
which is modest in size but contains many terrabytes of document  
files?


Richard

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.




_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.






















					Reply via email to