DV Hardware - bringing you the hottest news about processors, graphics cards, Intel, AMD, NVIDIA, hardware and technology!
   Home | News submit | News Archives | Reviews | Articles | Howto's | Advertise
DarkVision Hardware - Daily tech news
August 12, 2020 
Main Menu
News archives

Who's Online
There are currently 158 people online.


Latest Reviews
Ewin Racing Flash gaming chair
Arctic BioniX F120 and F140 fans
Jaybird Freedom 2 wireless sport headphones
Ewin Racing Champion gaming chair
Zowie P-TF Rough mousepad
Zowie FK mouse
BitFenix Ronin case
Ozone Rage ST headset

Follow us

Very easy to exploit bug found in Logitech Options software

Posted on Friday, December 14 2018 @ 15:16:49 CET by

Logitech logo
A Google Project Zero security researcher discovered a very easy to exploit vulnerability in Logitech's Options tool. Tavis Ormandy discovered Logitech's Options software opens a local websockets port that accepts commands without authentication. This enables attackers to send arbitrary keystrokes from any website, giving pretty much total control over an affected system.

Initially, Logitech didn't see the need to patch this vulnerability. Project Zero gives companies 90 days to patch bugs before making them public. Ormandy informed the peripheral maker in September and Logitech didn't fix the issue before the expiry of the deadline. Interestingly, Logitech did issue a fix three days after the vulnerability was made public. You can download the latest version of Options over here.
That program helpfully adds itself to HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun (and therefore is always running), spawns multiple subprocesses and appears to be an electron app. It also opens a websocket server on port 10134 that any website can connect to, and has no origin checking at all. A website can simply do this:

x.onmessage = function(event) {console.log("message", event.data); };
x.onopen = function(event) { console.log("open", event); };

etc, etc.

Trying to figure out what this websocket server does, it's immediately obvious that it expects JSON messages, and there is zero type checking of properties, so it crashes like crazy.


The only "authentication" is that you have to provide a pid of a process owned by your user, but you get unlimited guesses so you can bruteforce it in microseconds.

After that, you can send commands and options, configure the "crown" to send arbitrary keystrokes, etc, etc.



DV Hardware - Privacy statement
All logos and trademarks are property of their respective owner.
The comments are property of their posters, all the rest © 2002-2019 DM Media Group bvba