Attacking MSI RGB lighting from the browser

24 May 2020

If you have the MSI Dragon Center software installed (or just the Mystic Light app), random websites can control the RGB lighting on your motherboard and graphics card!

Some examples:

The latest version of Mystic Light as of this writing (3.0.0.70) is affected.

Details

The LEDKeeper.exe component of Mystic Light runs as Administrator. At startup, it spawns an HTTP server on 0.0.0.0:26820 that requires no authentication and allows itself through Windows Firewall. The server accepts the following commands, sent as pseudo-query strings:

GetDeviceInfo
GetStyleInfo
SetStyleID
SetColor
SetBright
SetSpeed
SetPW
SetServerPort

For instance, the following request retrieves motherboard and graphics card information:

    GET /GetDeviceInfo HTTP/1.1
    Host: localhost:26820

This one applies the "Color Cycle" effect to the motherboard LEDs:

    GET /SetStyleID=112&DeviceIndex=0&DeviceType=MSI_MB HTTP/1.1
    Host: localhost:26820

And this one stops the HTTP server, deletes the old firewall rule, adds a new one for 1337/tcp, then restarts the server on 0.0.0.0:1337:

    GET /SetServerPort=1337 HTTP/1.1
    Host: localhost:26820

Attack

The server does whitelist localhost as the only acceptable hostname in the Host header. This means that DNS rebinding probably won't work to bypass the same-origin policy and read responses (like GetDeviceInfo) from a malicious browser origin.

However, an attacker doesn't need to read any responses to change your RGB settings. All requests supported by the server are simple requests, which don't trigger CORS preflighting and get sent no matter what origin they come from. Hence, this web page.

Note that this attack can be done from the LAN by simply issuing requests to TARGET_IP:26820, because of the firewall rule.

Recommendation

MSI can fix the malicious website attack by validating the Origin header of requests to its Mystic Light Web API Server.

MSI should also work out an authentication mechanism or bind the server to 127.0.0.1 only to prevent unauthorized users on the LAN from messing with the server.