Ormandy first contacted Logitech about the vulnerability on Sept. We are currently reviewing the matter internally and will post new information as soon as we receive it." Therefore, Logitech is grateful for any indication of potential software vulnerabilities and suggestions for improving our product experience. A company spokesperson issued the following statement: "The safety of our consumers is our top priority. The Logitech Options app has yet to be patched. This effectively means a malicious webpage could send keystrokes that will open a command shell, download malware and install it on the system. In addition, an exploit is easy, as the Logitech Options app permits unlimited guesses.īy sending commands to the WebSocket service, it's possible to reconfigure the keyboard and mouse and also to send keystrokes to the system. However, these can easily be brute-forced, as they are relatively small numbers: a Windows process ID is only 32 bits in length, but because the numbers are applied incrementally and the software is executed early in the boot process, it will almost always have a small process ID. The only form of authentication in the Logitech Options app is to expect the connecting webpage to know the Windows process ID of the running Logitech software. For example, this would mean that only the webpage should be able to access the service however, the Logitech Options app does not properly authenticate these connections. The WebSocket service allows connections from any website, and that type of service should check the origin of the calling webpage so only authorized webpages can open a connection. While such crashes can often lead to exploitable security bugs, Ormandy found an even easier way to compromise the software. The first flaw Ormandy found is the ability to crash that server by sending JSON data with incorrect data types. Upon inspecting the Logitech Options app, Ormandy discovered it opened a local WebSocket server that expects JSON messages. The software uses Electron, an open source framework that enables users to develop cross-platform desktop applications in JavaScript, but which has also been subject to serious security vulnerabilities. 1, and none of the issues he had reported were fixed.Īccording to his report, Ormandy tried to reconfigure a button on his Logitech mouse in Windows and learned that, in order to do so, he had to download the 149 MB Logitech Options app. However, it seems the Logitech developers didn't resolve the issue: Ormandy tested the latest version, released on Oct. "They assured me they understood the issues and were planning to add origin checks and type checking," Ormandy wrote on the Project Zero bug tracker. Ormandy contacted Logitech and met with Logitech engineers in September. He published details about the critical vulnerability when Logitech took more than 90 days to address the issue. Tavis Ormandy, vulnerability researcher with Google's Project Zero, found the flaw in the Logitech Options app when he tried to rebind a button on his Logitech mouse.
0 Comments
Leave a Reply. |