6 Unpatched Flaws Disclosed in Remote Mouse App for Android and iOS

Cyber Security

As many as six zero-days have been uncovered in an application called Remote Mouse, allowing a remote attacker to achieve full code execution without any user interaction.

The unpatched flaws, collectively named ‘Mouse Trap,‘ were disclosed on Wednesday by security researcher Axel Persinger, who said, “It’s clear that this application is very vulnerable and puts users at risk with bad authentication mechanisms, lack of encryption, and poor default configuration.”

password auditor

Remote Mouse is a remote control application for Android and iOS that turns mobile phones and tablets into a wireless mouse, keyboard, and trackpad for computers, with support for voice typing, adjusting computer volume, and switching between applications with the help of a Remote Mouse server installed on the machine. The Android app alone has been installed over 10 million times.

In a nutshell, the issues, which were identified by analysing the packets sent from the Android app to its Windows service, could allow an adversary to intercept a user’s hashed password, rendering them susceptible to rainbow table attacks and even replay the commands sent to the computer.

A quick summary of the six flaws is as follows –

  • CVE-2021-27569: Maximize or minimize the window of a running process by sending the process name in a crafted packet.
  • CVE-2021-27570: Close any running process by sending the process name in a specially crafted packet.
  • CVE-2021-27571: Retrieve recently used and running applications, their icons, and their file paths.
  • CVE-2021-27572: An authentication bypass via packet replay, allowing remote unauthenticated users to execute arbitrary code via crafted UDP packets even when passwords are set.
  • CVE-2021-27573: Execute arbitrary code via crafted UDP packets with no prior authorization or authentication.
  • CVE-2021-27574: Carry out a software supply-chain attack by taking advantage of the app’s use of cleartext HTTP to check and request updates, resulting in a scenario where a victim could potentially download a malicious binary in place of the real update.

Persinger said he reported the flaws to Remote Mouse on Feb. 6, 2021, but noted he “never received a response from the vendor,” forcing him to publicly reveal the bugs following the 90-day disclosure deadline. We have reached out to the developers of Remote Mouse, and we will update the story if we hear back.

Products You May Like

Articles You May Like

Vat Purnima, Honey, Strawberry, Rose: Here’s How the Upcoming June Full Moon Is Known Across the World
HPE acquires Determined AI to bolster its high-performance compute business
Poco F3 GT Specifications Tipped by Alleged US FCC Listing, May Come With Wi-Fi 6
Tomi.ai raises $1M to help brick-and-mortar companies optimize digital ads
Tesla’s former automotive chief sold more than $270 million of stock after leaving on June 3

Leave a Reply

Your email address will not be published. Required fields are marked *