Six zero-days have been disclosed in an application called Remote Mouse that allows a remote attacker to achieve full code execution without any user interaction.
The unpatched flaws, collectively called ‘Mouse Trap,’ were disclosed by security researcher Axel Persinger. According to him, this application is very vulnerable and puts users at risk with bad authentication mechanisms, lack of encryption, and poor default configuration.
Remote Mouse is a remote-control application for Android and iOS that converts mobile phones and tablets into a wireless mouse, keyboard, and trackpad for computers, with support for voice typing, adjusting computer volume, and switching between applications with the help of a Remote Mouse server installed on the machine.
The Android app alone was installed more than 10 million times.
The issues, which were identified by analyzing the packets sent from the Android app to its Windows service, could allow an attacker to intercept a user’s hashed password, rendering them susceptible to rainbow table attacks and even replay the commands sent to the computer.
The list of the six flaws include:
- CVE-2021-27569: Maximize or minimize the window of a running process by sending the process name in a crafted packet.
- CVE-2021-27570: Close any running process by sending the process name in a specially crafted packet.
- CVE-2021-27571: Retrieve recently used and running applications, their icons, and their file paths.
- CVE-2021-27572: An authentication bypass via packet replay, allowing remote unauthenticated users to execute arbitrary code via crafted UDP packets even when passwords are set.
- CVE-2021-27573: Execute arbitrary code via crafted UDP packets with no prior authorization or authentication.
- CVE-2021-27574: Carry out a software supply-chain attack by taking advantage of the app’s use of cleartext HTTP to check and request updates, where a victim could potentially download a malicious binary in place of the real update.
The researcher has reported the flaws to Remote Mouse on Feb. 6, 2021, but he did not receive any response from the vendor. So, he had to publicly reveal the bugs following the 90-day disclosure deadline.