New issue
Advanced search Search tips
Starred by 13 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 12
Cc:



Sign in to add a comment
link

Issue 1663: logitech: "Options" Craft WebSocket server has no authentication

Reported by taviso@google.com, Sep 12 Project Member

Issue description

I wanted to rebind a button on my logitech mouse on Windows, apparently that requires installing 149MB application called "Logitech Options":

https://www.logitech.com/en-us/product/options

That program helpfully adds itself to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (and therefore is always running), spawns multiple subprocesses and appears to be an electron app. It also opens a websocket server on port 10134 that any website can connect to, and has no origin checking at all. A website can simply do this:

x = new WebSocket("ws://localhost:10134");
x.onmessage = function(event) {console.log("message", event.data); };
x.onopen = function(event) { console.log("open", event); };

etc, etc.

Trying to figure out what this websocket server does, it's immediately obvious that it expects JSON messages, and there is zero type checking of properties, so it crashes like crazy.


socket.send(JSON.stringify({message_type: "tool_update", session_id: "00cd8431-8e8b-a7e0-8122-9aaf4d7c2a9b", tool_id: "hello", tool_options: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" }))

(14cc.cd0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
LogiOptionsMgr+0x163f5f:
00000001`3f293f5f 0fb7530e        movzx   edx,word ptr [rbx+0Eh] ds:00004141`4141414f=????
0:013> kvn4
 # Child-SP          RetAddr           : Args to Child                                                           : Call Site
00 00000000`03bae390 00000001`3f2939b3 : 00000000`03bae530 00000000`00000000 00004149`69696961 ffffffff`ffffffff : LogiOptionsMgr+0x163f5f
01 00000000`03bae3e0 00000001`3f55b2f9 : 00000000`03bae468 00000000`04d27e60 00000000`0053f180 00000001`3f295e6b : LogiOptionsMgr+0x1639b3
02 00000000`03bae430 00000001`3f554e74 : 00000000`03bae610 6470755f`6c6f6f74 00000000`0000000b 00000000`0000000f : LogiOptionsMgr+0x42b2f9
03 00000000`03bae5b0 00000001`3f544c5d : 00000001`3f793b10 00000000`03bae780 00000000`00547540 00000000`03812cc0 : LogiOptionsMgr+0x424e74

(Here, tool_options was expecting an array, but it didn't check the type and I provided a string)

After figuring out some of the protocol, I realized it was this thing:

https://github.com/Logitech/logi_craft_sdk

The only "authentication" is that you have to provide a pid of a process owned by your user, but you get unlimited guesses so you can bruteforce it in microseconds.

After that, you can send commands and options, configure the "crown" to send arbitrary keystrokes, etc, etc. 

Recommendations

*You must check origin* - discard any connection with a non-whitelisted Origin.

Second, require knowing a secret generated at installation time in a filesystem or registry location that is correctly ACL'd.
 

Comment 1 by taviso@google.com, Sep 12

Project Member
I have no idea where to send logitech vulnerabilities, I mailed security@, it didn't bounce but ¯\_(ツ)_/¯

Comment 2 by taviso@google.com, Dec 11

Project Member
Labels: -Restrict-View-Commit
I did find a way to contact Logitech, and had a meeting with Logitech engineers on the 18th September, they assured me they understood the issues and were planning to add Origin checks and type checking.

There was a new release on October 1st, but as far as I can tell they did not resolve any of the issues.

This is now past deadline, so making public.

I would recommend disabling Logitech Options until an update is available.

Comment 3 by rcma...@gmail.com, Dec 13

Update 7.00.564 was apparently just rushed out. Doesn't mention a bug fix in the patch notes, but I will investigate shortly.

Comment 4 by sreut...@gmail.com, Dec 14

On the logitech webpage they mention as changes for 7.00.564:
- You can now backup your device settings to the cloud automatically after creating an account. Log into your Options account and download the backed up settings to set up your device easily on any computer.
- Bug fixes and improvements.
(Which can mean anything...)

Comment 5 by xgio...@gmail.com, Dec 14

thanks taviso. did you test to see if the problem has been resolved? thanks

Comment 6 by bogdan...@gmail.com, Dec 14

I have tested this before and after updating to 7.0.564 and I could still reproduce the issue.

Looks like Logitech has not fixed the issue yet.

Comment 7 by logitech...@logitech.com, Dec 14

Hello,

Could you please provide more information about the issue you’re seeing, and the steps to reproduce it? You can send that information to logitechsoftware@logitech.com. 

Thank you,
Logitech

Comment 8 by esakkie...@gmail.com, Dec 15

Is there any CVEID associated with this issue?

Comment 9 by desyszen...@gmail.com, Dec 19

Hello,
logitech and 3Dconnection have common roots. Is it possible that the issue also affects 3Dconnection? The 3dxnlserver.exe listen on 8181 and 8182. I ask, cause a lot of customer are using the SpaceMouse for their CAD programm. The risk for the construction parts were very high.
Is it possible for you to proof it?

Many thanks in advanced.
Chris

Comment 10 by sreut...@gmail.com, Dec 21

Logitech released version 7.10.3 of Logi Options:
Change Note: "Further security improvements to origin checks"

Comment 11 Deleted

Comment 12 by too...@gmail.com, Dec 27

Hello,

I believe this can be closed, 7.10.3 seems to have fixed the issue, I'm getting 403 errors when trying to open a connection on localhost:10134

WebSocket connection to 'ws://localhost:10134/' failed: Error during WebSocket handshake: Unexpected response code: 403

Comment 13 by taviso@google.com, Feb 12 (4 days ago)

Project Member
Status: Fixed (was: New)

Sign in to add a comment