Reading Time: 2 minutes
Remote Mouse App for Android and iOS has been detected with as many as six zero-day flaws. These may lead bad actors to gain access to execute code without user interaction.
According to security researcher Axel Persinger, the Remote Mouse App has a collection of flaws aptly called ‘Mouse Trap’. The application is vulnerable and puts users at risk with a bad authentication mechanism, lack of encryption, and poor default configuration.
Remote mouse App for Android and iOS is a popular app used to transform your mobile or tablet into a multifunction device i.e. wireless mouse, keyboard, and trackpad for computers. The app also offers support for voice typing, adjusting computer volume, and switching between applications. You will require to install the app server on your local machine or laptop.
The flaw lies in the packets sent from the Android app to its Windows service. This can be exploited by the bad actors to intercept a user’s hashed password, rendering them susceptible to rainbow table attacks and even replay the commands sent to the computer.
What are the Remote Mouse App for Android and iOS Security Flaws
- CVE-2021-27569: The window of a running process is maximized or minimized by sending the process name in a crafted packet.
- CVE-2021-27570: Sends the process name in a specially crafted packet to close any running process.
- CVE-2021-27571: Retrieve recently used and running applications, their icons, and their file paths.
- CVE-2021-27572: An authentication bypass via packet replay, allowing remote unauthenticated users to execute arbitrary code via crafted UDP packets even when passwords are set.
- CVE-2021-27573: Execute arbitrary code via crafted UDP packets with no prior authorization or authentication.
- CVE-2021-27574: Carry out a software supply-chain attack by taking advantage of the app’s use of cleartext HTTP to check and request updates, resulting in a scenario where a victim could potentially download a malicious binary in place of the real update.
According to Persinger, he reported the flaws to Remote Mouse on Feb. 6, 2021. Though he never received any response from Remote Mouse. This forced him to disclose the bugs publicly after following the 90-day disclosure deadline. Let’s hope Remote Mouse takes note of the numerous flaws and gets them fixed ASAP.