Six unpatched Remote Mouse bugs have been discovered in Remote Mouse app, that allows a remote attacker to execute complete code without requiring user interaction.
Axel Persinger, a security researcher, revealed the unpatched Remote Mouse bugs collectively known as “Mouse Trap“.
According to Persinger, due to weak authentication mechanisms, lack of encryption, and default configuration, this app is extremely vulnerable and puts users at risk.
Remote Mouse is a remote-control app for Android and iOS that turns mobile phones and tablets into a wireless mouse, keyboard, and trackpad for computers, with support for voice typing, adjusting computer volume, and switching between applications through a Remote Mouse server installed on the computer.
Latest in Cybersecurity: Beware: Foxit Reader bug allows hackers run malicious code via PDFs
The Android app alone has been downloaded over ten million times.
The Remote Mouse bugs (Mouse Trap) were discovered after examining packets sent from the Android app to its Windows service.
Also read: Moriya Windows rootkit exploited in wild for highly targeted attacks
These Remote Mouse bugs could allow an attacker to intercept a user’s hashed password, making them vulnerable to rainbow table attacks and even replaying commands sent to the device.
The following are the six bugs discovered:
- CVE-2021-27569: Send the process name in a crafted packet to maximize or minimize the window of a running process.
- CVE-2021-27570: Send the process name in a specially crafted packet to terminate any running process.
- CVE-2021-27571: Retrieve recently used and running applications, their icons, and their file paths.
- CVE-2021-27572: A packet replay authentication bypass that allows remote unauthenticated users to execute arbitrary code via designed UDP packets, even if passwords are set.
- CVE-2021-27573: Without prior authorization or authentication, execute arbitrary code via crafted UDP packets.
- CVE-2021-27574: Perform a software supply-chain attack by exploiting the app’s use of cleartext HTTP to search for and request updates, allowing a victim to download a malicious binary in place of the legitimate update.
The bugs were reported to the company on February 6, 2021, but no response was received from them.
As a result, Persinger had to report the bugs to the public after the 90-day deadline passed.