Back in September, Google Project Zero security researcher Tavis Ormandy uncovered a serious keystroke injection vulnerability in Logitech’s Options desktop application. Left unpatched, the vulnerability allows an attacker to gain complete control over the victim’s machine. Though Ormandy privately disclosed the flaw to Logitech, the company dragged its feet with regards to releasing a patch. For this reason, Tavis Ormandy decided to hold the company’s feet to the fire and release a public disclosure that went into extensive detail on the exploit.
Ormandy states the following about the process he engaged in to find the vulnerability, which he rates as critical, and how it works:
I wanted to rebind a button on my logitech mouse on Windows, apparently that requires installing 149MB application called “Logitech Options” … That program helpfully adds itself to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (and therefore is always running), spawns multiple subprocesses and appears to be an electron app. It also opens a websocket server on port 10134 that any website can connect to, and has no origin checking at all… Trying to figure out what this websocket server does, it’s immediately obvious that it expects JSON messages, and there is zero type checking of properties, so it crashes like crazy… The only “authentication” is that you have to provide a pid of a process owned by your user, but you get unlimited guesses so you can bruteforce it in microseconds. After that, you can send commands and options, configure the “crown” to send arbitrary keystrokes, etc, etc.
Once this public disclosure was made, Logitech was made to look like fools (which they absolutely deserved). It is seen in comment updates of the disclosure that Logitech responded to Tavis directly, asking him to send his findings to a specific channel of communication. As Tara Seals pointed out in her report on Threatpost, enough users also reacted furiously on Twitter that Logitech specifically addressed the issue in the tweet below:
Though this appears to deal with the issue, Tavis Ormandy was not totally convinced that the fix was enough. In the same article, Tara Seals points out that Tavis stated that the fix could “mean anything” when specifically analyzing the contents of the patch notes. Only time will tell if Logitech has done enough to take care of this major flaw, but users of their products should be aware of possible issues that can arise in the future.
Featured image: Pexels
