Very easy to exploit bug found in Logitech Options software

A Google Project Zero security researcher discovered a very easy to exploit vulnerability in Logitech's Options tool. Tavis Ormandy discovered Logitech's Options software opens a local websockets port that accepts commands without authentication. This enables attackers to send arbitrary keystrokes from any website, giving pretty much total control over an affected system.

Initially, Logitech didn't see the need to patch this vulnerability. Project Zero gives companies 90 days to patch bugs before making them public. Ormandy informed the peripheral maker in September and Logitech didn't fix the issue before the expiry of the deadline. Interestingly, Logitech did issue a fix three days after the vulnerability was made public. You can download the latest version of Options over here.

That program helpfully adds itself to HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun (and therefore is always running), spawns multiple subprocesses and appears to be an electron app. It also opens a websocket server on port 10134 that any website can connect to, and has no origin checking at all. A website can simply do this:

x.onmessage = function(event) {console.log("message", event.data); };
x.onopen = function(event) { console.log("open", event); };

etc, etc.

Trying to figure out what this websocket server does, it's immediately obvious that it expects JSON messages, and there is zero type checking of properties, so it crashes like crazy.

...

The only "authentication" is that you have to provide a pid of a process owned by your user, but you get unlimited guesses so you can bruteforce it in microseconds.

After that, you can send commands and options, configure the "crown" to send arbitrary keystrokes, etc, etc.