Remote control app for desktop PCs has surpassed 20m users, says vendor
Six zero-day vulnerabilities in Remote Mouse, a hugely popular app that turns tablets and smartphones into remote controllers for desktop PCs, could potentially lead to zero-click remote code execution (RCE).
Collectively dubbed ‘MouseTrap’, the security flaws arise from the use of authentication with a password hash that can be intercepted and looked up in a rainbow table, and the absence of encryption and cryptographic nonces in communications, according to a blog post published by security researcher Axel Persinger on May 5.
Remote Mouse simulates the functions of a mouse, keyboard, and touchpad on Windows, macOS, and Linux machines, and is compatible with iOS, Android, and Windows mobile devices.
The app’s developer, Emote Interactive, claims it has been used by more than 20 million users worldwide.
During his research, Persinger found that the absence of a nonce in User Datagram Protocol (UDP) packets sent from devices to desktop PCs means attackers can “freely inject keystrokes” with no user interaction.
Exploitation of the vulnerabilities in the application protocol can potentially “result in the complete takeover of someone’s machine, if they’re running the software. And the exploit would run at the privilege level of the user”, the researcher told The Daily Swig.
“There are a lot of oblivious users who could be completely owned without ever realizing,” said Persinger.
Alerting the vendor
The researcher says he found the flaws in Remote Mouse version 3.015, and that they were still present in version 18.104.22.168, which has been released since he alerted the vendor.
As of today (May 10), he told The Daily Swig that Emote Interactive, which appears to be based in Hong Kong, had still not replied to his email alerting them to the vulnerabilities on February 6.
The Daily Swig also sent queries to Emote Interactive on May 7 and we’ve yet to receive a reply. We will update this article should there be any further developments.
The flaws, which are yet to be assigned CVSS scores, mean attackers can exploit the absence of authentication logic and the fact that information is sent in cleartext to “maximize or minimize the window of a running process by sending the process name in a crafted packet” (CVE-2021-27569).
According to the researcher, an attacker would also be able to “close any running process by sending the process name in a specially crafted packet” (CVE-2021-27570), and “retrieve recently used and running applications, their icons, and their file paths” (CVE-2021-27571).
Another two flaws allow unauthenticated users to “execute arbitrary code via crafted UDP packets” – one through an authentication bypass via packet replay (CVE-2021-27572), and another “with no prior authorization or authentication” (CVE-2021-27573).
Finally, the use of “cleartext HTTP to check, and request, updates” means “attackers can machine-in-the-middle a victim to download a malicious binary in place of the real update, with no SSL errors or warnings” (CVE-2021-27574).
“Once you realize how keystrokes and mouse movements are passed from the mobile app to the computer, I think it becomes pretty straightforward to exploit” these vulnerabilities, says Persinger.
Warning the app stores
In lieu of a response from the vendor, Persinger contacted Microsoft, Apple, and Google “to see if they would remove the application” from their respective mobile app stores, but none had replied at the time of press.
He also says that, based on advice gleaned from other infosec experts, next time a vulnerability report fails to elicit a vendor response he would “email a few different addresses at the 90 day, 60 day, and 30 day marks”.
“The reason I’m doing this work is to protect end users’ security, and the last thing I want to do is hurt that,” he said.
YOU MIGHT ALSO LIKE Pulse Connect Secure zero-day stars in critical patch batch