New issue
Advanced search Search tips

Issue 1663 link

Starred by 13 users

Issue metadata

Status: New
Owner:
Cc:



Sign in to add a comment

logitech: "Options" Craft WebSocket server has no authentication

Project Member Reported by taviso@google.com, Sep 12

Issue description

I wanted to rebind a button on my logitech mouse on Windows, apparently that requires installing 149MB application called "Logitech Options":

https://www.logitech.com/en-us/product/options

That program helpfully adds itself to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (and therefore is always running), spawns multiple subprocesses and appears to be an electron app. It also opens a websocket server on port 10134 that any website can connect to, and has no origin checking at all. A website can simply do this:

x = new WebSocket("ws://localhost:10134");
x.onmessage = function(event) {console.log("message", event.data); };
x.onopen = function(event) { console.log("open", event); };

etc, etc.

Trying to figure out what this websocket server does, it's immediately obvious that it expects JSON messages, and there is zero type checking of properties, so it crashes like crazy.


socket.send(JSON.stringify({message_type: "tool_update", session_id: "00cd8431-8e8b-a7e0-8122-9aaf4d7c2a9b", tool_id: "hello", tool_options: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" }))

(14cc.cd0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
LogiOptionsMgr+0x163f5f:
00000001`3f293f5f 0fb7530e        movzx   edx,word ptr [rbx+0Eh] ds:00004141`4141414f=????
0:013> kvn4
 # Child-SP          RetAddr           : Args to Child                                                           : Call Site
00 00000000`03bae390 00000001`3f2939b3 : 00000000`03bae530 00000000`00000000 00004149`69696961 ffffffff`ffffffff : LogiOptionsMgr+0x163f5f
01 00000000`03bae3e0 00000001`3f55b2f9 : 00000000`03bae468 00000000`04d27e60 00000000`0053f180 00000001`3f295e6b : LogiOptionsMgr+0x1639b3
02 00000000`03bae430 00000001`3f554e74 : 00000000`03bae610 6470755f`6c6f6f74 00000000`0000000b 00000000`0000000f : LogiOptionsMgr+0x42b2f9
03 00000000`03bae5b0 00000001`3f544c5d : 00000001`3f793b10 00000000`03bae780 00000000`00547540 00000000`03812cc0 : LogiOptionsMgr+0x424e74

(Here, tool_options was expecting an array, but it didn't check the type and I provided a string)

After figuring out some of the protocol, I realized it was this thing:

https://github.com/Logitech/logi_craft_sdk

The only "authentication" is that you have to provide a pid of a process owned by your user, but you get unlimited guesses so you can bruteforce it in microseconds.

After that, you can send commands and options, configure the "crown" to send arbitrary keystrokes, etc, etc. 

Recommendations

*You must check origin* - discard any connection with a non-whitelisted Origin.

Second, require knowing a secret generated at installation time in a filesystem or registry location that is correctly ACL'd.
 
Project Member

Comment 1 by taviso@google.com, Sep 12

I have no idea where to send logitech vulnerabilities, I mailed security@, it didn't bounce but ¯\_(ツ)_/¯
Project Member

Comment 2 by taviso@google.com, Dec 11

Labels: -Restrict-View-Commit
I did find a way to contact Logitech, and had a meeting with Logitech engineers on the 18th September, they assured me they understood the issues and were planning to add Origin checks and type checking.

There was a new release on October 1st, but as far as I can tell they did not resolve any of the issues.

This is now past deadline, so making public.

I would recommend disabling Logitech Options until an update is available.
Update 7.00.564 was apparently just rushed out. Doesn't mention a bug fix in the patch notes, but I will investigate shortly.
On the logitech webpage they mention as changes for 7.00.564:
- You can now backup your device settings to the cloud automatically after creating an account. Log into your Options account and download the backed up settings to set up your device easily on any computer.
- Bug fixes and improvements.
(Which can mean anything...)
thanks taviso. did you test to see if the problem has been resolved? thanks
I have tested this before and after updating to 7.0.564 and I could still reproduce the issue.

Looks like Logitech has not fixed the issue yet.
Hello,

Could you please provide more information about the issue you’re seeing, and the steps to reproduce it? You can send that information to logitechsoftware@logitech.com. 

Thank you,
Logitech
Is there any CVEID associated with this issue?
Hello,
logitech and 3Dconnection have common roots. Is it possible that the issue also affects 3Dconnection? The 3dxnlserver.exe listen on 8181 and 8182. I ask, cause a lot of customer are using the SpaceMouse for their CAD programm. The risk for the construction parts were very high.
Is it possible for you to proof it?

Many thanks in advanced.
Chris
Logitech released version 7.10.3 of Logi Options:
Change Note: "Further security improvements to origin checks"

Comment 11 Deleted

Hello,

I believe this can be closed, 7.10.3 seems to have fixed the issue, I'm getting 403 errors when trying to open a connection on localhost:10134

WebSocket connection to 'ws://localhost:10134/' failed: Error during WebSocket handshake: Unexpected response code: 403

Sign in to add a comment