Six zero-days have been disclosed in an application called Remote Mouse that allows a remote attacker to achieve full code execution without any user interaction.

The unpatched flaws, collectively called ‘Mouse Trap,’ were disclosed by security researcher Axel Persinger. According to him, this application is very vulnerable and puts users at risk with bad authentication mechanisms, lack of encryption, and poor default configuration.

Remote Mouse is a remote-control application for Android and iOS that converts mobile phones and tablets into a wireless mouse, keyboard, and trackpad for computers, with support for voice typing, adjusting computer volume, and switching between applications with the help of a Remote Mouse server installed on the machine.

The Android app alone was installed more than 10 million times.

The issues, which were identified by analyzing the packets sent from the Android app to its Windows service, could allow an attacker to intercept a user’s hashed password, rendering them susceptible to rainbow table attacks and even replay the commands sent to the computer.

The list of the six flaws include:

  • CVE-2021-27569: Maximize or minimize the window of a running process by sending the process name in a crafted packet.
  • CVE-2021-27570: Close any running process by sending the process name in a specially crafted packet.
  • CVE-2021-27571: Retrieve recently used and running applications, their icons, and their file paths.
  • CVE-2021-27572: An authentication bypass via packet replay, allowing remote unauthenticated users to execute arbitrary code via crafted UDP packets even when passwords are set.
  • CVE-2021-27573: Execute arbitrary code via crafted UDP packets with no prior authorization or authentication.
  • CVE-2021-27574: Carry out a software supply-chain attack by taking advantage of the app’s use of cleartext HTTP to check and request updates, where a victim could potentially download a malicious binary in place of the real update.

The researcher has reported the flaws to Remote Mouse on Feb. 6, 2021, but he did not receive any response from the vendor. So, he had to publicly reveal the bugs following the 90-day disclosure deadline.

The post 6 Unpatched flaws disclosed in Remote Mouse app for Android and iOS first appeared on Cybersafe News.

You May Also Like

Critical vulnerability in Linux distros would allow for full system compromise; update now

This Thursday morning it was announced the release of a security patch…

2 critical vulnerabilities in the Linux operating system allow backdoors to be installed with root privileges

A Microsoft security report details the finding of a set of vulnerabilities…

CVE-2021-20026: Command injection vulnerability residing in SonicWall Network Security Manager patched. Update now

Nikita Abramov, a researcher at security firm Positive Technologies, issued an alert…

11 important vulnerabilities in Fortinet products FortiOS, FortiAnalyzer, FortiADC, FortiManager, FortiProxy, FortiClient, FortiDeceptor, FortiSwitch, FortiRecoder & FortiVoiceEnterprise 

Fortinet, an American multinational corporation headquartered in Sunnyvale, California. The company develops…