The Logitech Options app, which configures the company’s mice and keyboards in Windows, relies on an ineffective authentication mechanism that enables malicious webpages to execute code on a victim’s machine.
Tavis Ormandy, vulnerability researcher with Google’s Project Zero, found the flaw in the Logitech Options app when he tried to rebind a button on his Logitech mouse. He published details about the critical vulnerability when Logitech took more than 90 days to address the issue.
Ormandy contacted Logitech and met with Logitech engineers in September.
“They assured me they understood the issues and were planning to add origin checks and type checking,” Ormandy wrote on the Project Zero bug tracker.
However, it seems the Logitech developers didn’t resolve the issue: Ormandy tested the latest version, released on Oct. 1, and none of the issues he had reported were fixed.
Upon inspecting the Logitech Options app, Ormandy discovered it opened a local WebSocket server that expects JSON messages. The first flaw Ormandy found is the ability to crash that server by sending JSON data with incorrect data types.
While such crashes can often lead to exploitable security bugs, Ormandy found an even easier way to compromise the software. The WebSocket service allows connections from any website, and that type of service should check the origin of the calling webpage so only authorized webpages can open a connection. For example, this would mean that only the webpage https://www.logitech.com/ should be able to access the service; however, the Logitech Options app does not properly authenticate these connections.
The only form of authentication in the Logitech Options app is to expect the connecting webpage to know the Windows process ID of the running Logitech software. However, these can easily be brute-forced, as they are relatively small numbers: a Windows process ID is only 32 bits in length, but because the numbers are applied incrementally and the software is executed early in the boot process, it will almost always have a small process ID. In addition, an exploit is easy, as the Logitech Options app permits unlimited guesses.
By sending commands to the WebSocket service, it’s possible to reconfigure the keyboard and mouse and also to send keystrokes to the system. This effectively means a malicious webpage could send keystrokes that will open a command shell, download malware and install it on the system.
The Logitech Options app has yet to be patched. A company spokesperson issued the following statement: “The safety of our consumers is our top priority. Therefore, Logitech is grateful for any indication of potential software vulnerabilities and suggestions for improving our product experience. We are currently reviewing the matter internally and will post new information as soon as we receive it.”
Ormandy first contacted Logitech about the vulnerability on Sept. 12, and he received confirmation of the bug report from the company soon after. Google’s Project Zero has a vulnerability disclosure policy that gives vendors 90 days to fix the bug before making the technical details public. This occurs independently of whether or not the software in question is fixed. Details about the vulnerability can be found in the Project Zero bug tracker.
When the Logitech Options app is installed, it is automatically started with Windows and runs in the background. Thus, even users who don’t actively do anything with the software are at risk as long as it is installed. We tested the Options software in a virtual machine and found no way of disabling the WebSocket functionality. Therefore, until Logitech publishes a security update, the only way users can protect themselves is by removing the application from their system.
About the author: Hanno Bock is a freelance journalist, systems administrator and security researcher. He runs The Fuzzing Project, an independent security research effort supported by the Linux Foundation’s Core Infrastructure Initiative.