I hate installing software on Windows
https://twitter.com/ProjectZeroBugs/status/1072615284085796865 …
-
-
Replying to @taviso
I find the buffer overflow much more dangerous than the origin issue. We'd micropatch it - but first, do you think there are a pile of others there, which would make it pretty irrelevant?
2 replies 0 retweets 0 likes -
Replying to @mkolsek
Hmm, disagree, if they checked the Origin then only another local user could exploit the memory safety issues. If they don't check the origin but do check the JSON is well formed, then you can do things like send keystrokes to other applications
2 replies 0 retweets 0 likes -
FWIW, I think a micropatch that checks the request headers for "Origin:" is totally feasible, I was using breakpoints and `da
@esp..xxx; gc` to dump the headers.2 replies 0 retweets 1 like -
What would constitute a valid origin?
1 reply 0 retweets 0 likes -
I think if there is any Origin header, you can probably safely ignore it, it must have come from a website. A browser would never allow a website to send a request without an Origin header.
1 reply 0 retweets 0 likes -
Who's a valid client for this web socket connection then?
1 reply 0 retweets 0 likes -
AFAIK, they have office/photoshop/etc plugins, so you can have photoshop-specific functions when photoshop is focussed (e.g. color selection), and excel specific when excel is focussed (e.g. increment cell). Those native plugins talk json over websockets, because it's 2018
1 reply 0 retweets 0 likes -
Got it. So local apps make local ws requests to configure your mouse. Can we be sure none of them send an Origin header? Also, is the web server only listening on localhost or is it accessible remotely?
1 reply 0 retweets 0 likes
I didn't check them all, but I didn't see one in testing. It's localhost only, but a website can open a websocket to ws://127.0.0.1, so just visiting a malicious website is enough to screw with your peripherals, exploit memory safety issues, spy on apps, etc.
-
-
I suppose it's also an LPE issue even if/once the Origin issue were fixed: a local low-privileged malicious process can reprogram keys when admin is using the mouse.
1 reply 0 retweets 0 likes -
Yep, but I suggested they generate a per-user secret, but didn't want to set my expectations too high, I couldn't even get them to fix the RCE.
0 replies 0 retweets 1 like
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.