As many as six zero-days have been uncovered in an application called Remote Mouse, allowing a remote attacker to achieve full code execution without any user interaction.
The unpatched flaws, collectively named ‘Mouse Trap,’ were disclosed on Wednesday by security researcher Axel Persinger, who said, “It’s clear that this application is very vulnerable and puts users at risk with bad authentication mechanisms, lack of encryption, and poor default configuration.”
Remote Mouse is a remote control application for Android and iOS that turns mobile phones and tablets into a wireless mouse, keyboard, and trackpad for computers, with support for voice typing, adjusting computer volume, and switching between applications with the help of a Remote Mouse server installed on the machine. The Android app alone has been installed over 10 million times.
In a nutshell, the issues, which were identified by analysing the packets sent from the Android app to its Windows service, could allow an adversary to intercept a user’s hashed password, rendering them susceptible to rainbow table attacks and even replay the commands sent to the computer.
A quick summary of the six flaws is as follows –
- CVE-2021-27569: Maximize or minimize the window of a running process by sending the process name in a crafted packet.
- CVE-2021-27570: Close any running process by sending the process name in a specially crafted packet.
- CVE-2021-27571: Retrieve recently used and running applications, their icons, and their file paths.
- CVE-2021-27572: An authentication bypass via packet replay, allowing remote unauthenticated users to execute arbitrary code via crafted UDP packets even when passwords are set.
- CVE-2021-27573: Execute arbitrary code via crafted UDP packets with no prior authorization or authentication.
- CVE-2021-27574: Carry out a software supply-chain attack by taking advantage of the app’s use of cleartext HTTP to check and request updates, resulting in a scenario where a victim could potentially download a malicious binary in place of the real update.
Persinger said he reported the flaws to Remote Mouse on Feb. 6, 2021, but noted he “never received a response from the vendor,” forcing him to publicly reveal the bugs following the 90-day disclosure deadline. We have reached out to the developers of Remote Mouse, and we will update the story if we hear back.