Some people really enjoy the kind of computer mouse that would not be entirely out of place in a F-16 cockpit. The kind of mouse that can launch a browser with the gentle shifting of one of its thirty-eight buttons ever so slightly to the left and open their garage door with a shifting to the right of that same button. However, can this power be used for evil, and not just frustrating guest users of their computer?
We’ve heard of the trusted peripheral being repurposed for nefarious uses before. Sometimes they’ve even been modified for more benign purposes. All of these have a common trend. The mouse itself must be physically modified to add the vulnerability or feature. However, the advanced mice with macro support can be used as is for a vulnerability.
The example in this case is a Logitech G-series gaming mouse. The mouse has the ability to store multiple personal settings in its memory. That way someone could take the mouse to multiple computers and still have all their settings available. [Stefan Keisse] discovered that the 100 command limit on the macros for each button are more than enough to get a full reverse shell on the target computer.
Considering how frustratingly easy it can be to accidentally press an auxiliary button on these mice, all an attacker would need to do is wait after delivering the sabotaged mouse. Video of the exploit after the break.
This is why smart admins who understand security use this GPO:
Computer Configuration->Administrative Templates->System->Device Installation->Device Installation Restrictions
Nathanael Dale Ries: Wont help if the mouse is set to imitiate or fake the real mouse. I think its better to first, restrict via firewall so only for example HTTP/HTTPS is able to reach out (and HTTPS can be proxied with a proxy that can do decryption via a custom CA that has to be installed on all computers)
Another thing is to restrict computers that store sensitive things physically, so such computers both are locked in and possibly have hard-wired pheripials, and possible with tamper-sensors and such.
Thus it does not matter if a “regular” computer gets a reverse shell, since the sensitive things are locked in.
Deliberately creating a MITM attack on your own network and obliterating with it the entire secure trust model of SSL is the exact opposite of security.
Although I’m at a loss as to what that has to do with fouling attacks using macros stored in hardware EEPROMs?
The idea is that you restrict what communication can occur out and in, and thus reduce the possibility to run a “reverse shell”.
If the system restricts all communication to a few well defined protocols, opening a reverse shell will require some sort of software installation on the target machine, which also can be detected or prevented, and be hard to execute from a stored macro inside a mouse or keyboard.
No, it wont be opposite of security to create a network-local “MITM”. The reason is that you just redefine the trust border. Instead of bordering each specific client into a trusted state, you border the whole network into a trusted state. Of course, this means that anyone inside the trust border are able to compromise the trust process, but this on the other hand creates security because you have central control of whats entering and exiting your network. Thats also why its important to define this trust border well, eg, the trust border should not terminate outside your premises, but rather just inside.
A good thing with redefining the trust border is also that you are able to enforce policies centrally, for example preventing clickthrough to HTTPS warnings by simply letting the proxy display a block page for such things, you can prevent communication with certain blacklisted hosts, you can scan the content after sensitive data exiting (for example credit card numbers, passwords etc) and malicious data entering (for example viruses), and you can also enforce Cookie, HSTS, HPKP policies centrally. And a lot more, you can also block submission of certain types of forms, and also block certain content and HTML tags.
Just from your single post one can predict quite a lot of software that is already present on your system. So after that they just need to pick the right stuff and set it up for them to abuse.
I applaud your prudent exploitation of https. Most people do not realize that a cert that is trusted is trusted EVERYWHERE it claims validity. Using it to ensure all of YOUR machines are doing what they are supposed to be doing, and not allowing them to trust anything without your involvement, is fantastic. As the burden of HTTPS grows on administrators, I suspect we will be seeing a lot more of this kind of thing.
This is pretty much how internet access at any respectable large enterprise works. Blue Coat Systems is just one supplier that gets you the hardware needed for that. And yes, it is essentially a MITM attack. But if you can’t trust the company you’re working for, then you’re working for the wrong company anyways.
If your company won’t trust you, you’re working for the wrong company.
Not really an attack. More of an allowed path, with enforcement. Most people are ill equipped to maintain their own machine security, after all.
I have a logitech mouse with an extra button on the left side. I just got fed up with it and RIPPED that sucker outa there using a screwdriver. There was some satisfaction in that, but the button lever snapped off in a way that was not ideal and I still had to remove screws and do a more careful button-ectomy. Now there is a hole in the side of the mouse, but it is way better than that silly button getting inadvertently activated. Does this qualify as a hack?
I think that qualifies you as a hack :-p
Ha, ha. I get such a warm feeling when I grab the mouse and that button ain’t there.
That’s just the laser shining onto your finger
Your nick makes this post 10x better :D
why didnt you just disable it via software?
I know how that goes. Every software update will undo the customization and/or change the way the customization needs to be specified. Besides that, I let my emotions run away. I can’t say that I’m sorry.
Why would anyone want a mouse with more than 3 buttons? Jobs may have had the right idea with the one button mouse, but you can take anything too far. 38 buttons though — one false twitch and you have reformatted your hard drive.
Ive used AutoHotKey to disable mouse buttons before. Elderly folks often lack motor control, and my grandfather was clicking both mouse buttons at once. I disabled the right mouse button with AHK and mapped it instead to Numpad+, which was never otherwise used. It helped him keep using his computer in his advanced years until he passed away.
I’ve got copy and paste mapped to two of the additional buttons. Now i can drink my coffee with the left hand, while copypasting commands with my right one. And even when i’m not drinking coffee, it’s still faster and requires less movement to hit the buttons on which i rest my thumb anyways than moving the left hand to Ctrl+C/V
i have just installed that program and then wirtten this hotkey script. i may have only used it for 10 seconds so far but: CHANGED. MY. LIFE
> Why would anyone want a mouse with more than 3 buttons?
All of the mice I use are 5 button mice. They have 2 thumb buttons that can be programmed to whatever. I have them set to Show Desktop and Alt+Tab so that I don’t have to put my coffee down to get around my desktop quickly.
They also work well for gaming.
Definitely a hack.
That hole helps cool down the electronics!
I think it qualifies more as an assault but considering what you did to your mouse I’m not going to argue.
I can’t stand mice with less than 5 buttons.
Incidentally, did you know it took a long time for people to be comfortable with using the word ‘mice’ as plural for a computer mouse?
Makes me wonder how they came up with the 100 command limit per button. Is this anywhere near what somebody might need in real life?
Have you met a guy that describes himself as a “cyber athlete” before?
Punches tree to get wood? :P
That’s an odd fetish.
Haha, it’s a stupid Minecraft joke.
SouthPark had a really funny episode where the adults had to play Minecraft to get the password for blocked TV channels.
http://i2.kym-cdn.com/photos/images/original/000/152/433/punching-trees.jpg
I call bullcrap on this. Logitech has used software macros in the driver for a while now, this “hack” will only work on a windows computer with the software installed. The mouse is dumb.
LoL I was reading this as I pushed POST VOMIT, Yeah the LGSM needs to be running and it also needs the config file in the user directory on windows in the Logitech folder.
We can assign buttons to do some repetitive small.
I have a Logitech G502 and it certainly CAN store macros without the software. I’m using it on a daily base on Linux and I used my Windows VM to program the macro keys and they work on Linux perfectly fine (even 3 profiles with pretty long macros on each one).
I remember seeing mice with quite a high amount of memory, like 10’s of KB or even 100s. That should fit a 1000 key macro, right?
My G700s most certainly does have onboard memory. The Logitech software even has a switch that says “On-Board Memory – Use profiles stored on the mouse / Automatic Game Detection – Use profiles stored on the computer”.
Just a Shame the Logitech software needs to be installed for such a long Macro to work and it needs that saved on the PC.
Complex macros will not store on the mice but simple ones do
I have a KeyPro FK9000 which has 12 PF (Programmable Function) keys on its left end. It has a battery which charges by tapping power from the keyboard port and the PF keys are programmable using just the keyboard. If only its built in calculator (a switch toggles the number pad to calculator) could feed the numbers from its display to the computer.
Would be much handier than launching a calculator on the computer, where it’s always getting buried behind other windows.
I would say that someone can use an identical mouse, create some custom macros,and upload those to the memory on the mouse.
They can then replace the victim’s mouse with modified one — in theory if the logitech software is
running (and believe me it ill be with the 38 buttons being useless otherwise they would have a standard three button mouse) —
the modified profile will be uploaded from the mouse the computer.
When the victim pressed whatever button it would execute the new macro (and do who knows what).
This seems to be more of a prank.
I am pretty sure that the uploading/downloading or profiles to/from the device can be disabled in the logitech software, thus,
preventing this type of thing (if not hide your mouse, if magically is connected on day — it’s been modified).
Needing the logitech software in there means you already have admin rights….so idk if this is a hack, or a convinient way of excecuting a bat file. Could also open a browser, download said batch file from pastebin, and run it.
” guest users of their computer”
That’s not really a thing though. Unless you run a public library or internet access place.
Unless your friends or relatives come over for whatever reason, who do not have a cell phone/laptop/or tablet, etc — and their only option is the computer that is available to them.
The title make is clear that this is a problem with right hand mice, if it had been a left hand mouse, this never would have happened. Although jokes aside, I hate that so many high end mice are available in right hand only.