6 Unpatched Flaws Disclosed in Remote Mouse App for Android and iOS

May 7, 2021 by iHash Leave a Comment

As many as six zero-days have been uncovered in an application called Remote Mouse, allowing a remote attacker to achieve full code execution without any user interaction.

The unpatched flaws, collectively named ‘Mouse Trap,’ were disclosed on Wednesday by security researcher Axel Persinger, who said, “It’s clear that this application is very vulnerable and puts users at risk with bad authentication mechanisms, lack of encryption, and poor default configuration.”

Remote Mouse is a remote control application for Android and iOS that turns mobile phones and tablets into a wireless mouse, keyboard, and trackpad for computers, with support for voice typing, adjusting computer volume, and switching between applications with the help of a Remote Mouse server installed on the machine. The Android app alone has been installed over 10 million times.

In a nutshell, the issues, which were identified by analysing the packets sent from the Android app to its Windows service, could allow an adversary to intercept a user’s hashed password, rendering them susceptible to rainbow table attacks and even replay the commands sent to the computer.

A quick summary of the six flaws is as follows –

CVE-2021-27569: Maximize or minimize the window of a running process by sending the process name in a crafted packet.
CVE-2021-27570: Close any running process by sending the process name in a specially crafted packet.
CVE-2021-27571: Retrieve recently used and running applications, their icons, and their file paths.
CVE-2021-27572: An authentication bypass via packet replay, allowing remote unauthenticated users to execute arbitrary code via crafted UDP packets even when passwords are set.
CVE-2021-27573: Execute arbitrary code via crafted UDP packets with no prior authorization or authentication.
CVE-2021-27574: Carry out a software supply-chain attack by taking advantage of the app’s use of cleartext HTTP to check and request updates, resulting in a scenario where a victim could potentially download a malicious binary in place of the real update.

Persinger said he reported the flaws to Remote Mouse on Feb. 6, 2021, but noted he “never received a response from the vendor,” forcing him to publicly reveal the bugs following the 90-day disclosure deadline. We have reached out to the developers of Remote Mouse, and we will update the story if we hear back.

Source link

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The 2023 Travel Hacker Bundle ft. Rosetta Stone Lifetime Subscription for $199

Expires January 30, 2024 23:59 PST Buy now and get 94% off Rosetta Stone: Lifetime Subscription (All Languages) KEY FEATURES The benefits of learning to speak a second language (or third) are immeasurable! With its intuitive, immersive training method, Rosetta Stone will have you reading, writing, and speaking new languages like a natural in no […]

Apple iPad Air 2, 16GB – Silver (Refurbished: Wi-Fi Only) for $106

Expires July 11, 2120 23:59 PST Buy now and get 40% off KEY FEATURES The iPad Air 2 boasts 40% faster CPU performance and 2.5 times the graphics performance when compared to its predecessor. Its 9.7″ LED-backlit Retina IPS LCD with a resolution of 2048×1536 provides richer colors, greater contrast, and sharper images for a […]

S300 eufyCam (eufyCam 3C) 3-Cam Kit for $579

Expires January 03, 2123 19:28 PST Buy now and get 0% off KEY FEATURES See 4K Detail Day and Night 180-Day Battery Life Up to 16 TB Expandable Local Storage (Additional Storage Drive Not Included) BionicMind AI Differentiates Family and Strangers HomeBase 3 Centralize Security Management PRODUCT SPECS Resolution 4K (3840×2160)° Night Vision Infrared & […]

eufy SpaceView Add-On Video Baby Monitor for $99

Expires January 28, 2123 06:33 PST Buy now and get 0% off Sweet Dreams on the Big Screen: The large 5″ 720p video baby monitor display shows a sharp picture with 10 times more detail than ordinary 240p-display baby monitors. Long-Lasting Views: Watch your baby for up to 15 hours per chargeplenty of time to […]

ISC Releases Security Patches for New BIND DNS Software Vulnerabilities

Jan 28, 2023Ravie LakshmananServer Security / DNS The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could lead to a denial-of-service (DoS) condition. “A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions and […]

eufy Solo IndoorCam C24 (2K, 2-Cam Kit, Plug-in) for $75

Expires January 04, 2123 21:34 PST Buy now and get 0% off KEY FEATURES Knows Whos There: The on-device AI instantly determines whether a human or pet is present within the cameras view. The Key is in the Detail: View every event in up to 2K clarity (1080P while using HomeKit) so you see exactly […]

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.2.0

Pangu has updated its jailbreak utility for iOS 9.0 to 9.0.2 with a fix for the manage storage bug and the latest version of Cydia. Change log V1.2.0 (2015-10-27) 1. Bundle latest Cydia with new Patcyh which fixed failure to open url scheme in MobileSafari 2. Fixed the bug that “preferences -> Storage&iCloud Usage -> […]

Apple Blocks Pangu Jailbreak Exploits With Release of iOS 9.1

Apple has blocked exploits used by the Pangu Jailbreak with the release of iOS 9.1. Pangu was able to jailbreak iOS 9.0 to 9.0.2; however, in Apple’s document on the security content of iOS 9.1, PanguTeam is credited with discovering two vulnerabilities that have been patched.

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.1.0

Pangu has released an update to its jailbreak utility for iOS 9 that improves its reliability and success rate. Change log V1.1.0 (2015-10-21) 1. Improve the success rate and reliability of jailbreak program for 64bit devices 2. Optimize backup process and improve jailbreak speed, and fix an issue that leads to fail to […]

Activator 1.9.6 Released With Support for iOS 9, 3D Touch

Ryan Petrich has released Activator 1.9.6, an update to the centralized gesture, button, and shortcut manager, that brings support for iOS 9 and 3D Touch.

The 2023 Travel Hacker Bundle ft. Rosetta Stone Lifetime Subscription for $199

Apple iPad Air 2, 16GB – Silver (Refurbished: Wi-Fi Only) for $106

S300 eufyCam (eufyCam 3C) 3-Cam Kit for $579

eufy Baby Monitor 2 (2K, Smart, Wi-Fi) for $119

eufy SpaceView Add-On Video Baby Monitor for $99

6 Unpatched Flaws Disclosed in Remote Mouse App for Android and iOS

The 2023 Travel Hacker Bundle ft. Rosetta Stone Lifetime Subscription for $199

Apple iPad Air 2, 16GB – Silver (Refurbished: Wi-Fi Only) for $106

S300 eufyCam (eufyCam 3C) 3-Cam Kit for $579

eufy Baby Monitor 2 (2K, Smart, Wi-Fi) for $119

eufy SpaceView Add-On Video Baby Monitor for $99

Share this:

Reader Interactions

Leave a Reply Cancel reply