CyRC Vulnerability Advisory: Remote code execution vulnerabilities in mouse and keyboard apps
CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482, CVE-2022-45483 are remote code execution vulnerabilities in three popular mouse and keyboard apps.
Overview
The Synopsys Cybersecurity Research Center (CyRC) has exposed multiple vulnerabilities in three applications that enable an Android device to be used as a remote keyboard and mouse for their computers.
Lazy Mouse, Telepad, and PC Keyboard are keyboard and mouse applications that connect to a server on a desktop or laptop computer and transmit mouse and keyboard events to the server. The free and paid versions of these three apps have a combined total of more than two million downloads from Google Play.
CyRC research uncovered weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in the three apps. An exploit of the authentication and authorization vulnerabilities could allow remote unauthenticated attackers to execute arbitrary commands. Similarly, an exploit of the insecure communication vulnerability exposes the user’s keystrokes, including sensitive information such as usernames and passwords.
Mouse and keyboard applications use a variety of network protocols to exchange mouse and keystroke instructions. Although the vulnerabilities are all related to the authentication, authorization, and transmission implementations, each application’s failure mechanism is different. The CyRC found vulnerabilities that enable authentication bypasses and remote code execution in the three applications, but did not find a single method of exploitation that applies to all three.
Affected software
- Telepad versions 1.0.7 and prior
- PC Keyboard versions 30 and prior
- Lazy Mouse versions 2.0.1 and prior
Impact
CVE-2022-45477
Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.
- CVSS 3.1 base score: 9.8
- CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-45478
Telepad allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext.
- CVSS 3.1 base score: 5.1
- CVSS 3.1 vector: AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-45479
PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.
- CVSS 3.1 base score: 9.8
- CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-45480
PC Keyboard allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext.
- CVSS 3.1 base score: 5.1
- CVSS 3.1 vector: AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-45481
The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication.
- CVSS 3.1 base score: 9.8
- CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-45482
The Lazy Mouse server enforces weak password requirements and doesn’t implement rate limiting, allowing remote unauthenticated users to easily and quickly brute force the PIN and execute arbitrary commands.
- CVSS 3.1 base score: 9.8
- CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-45483
Lazy Mouse allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext.
- CVSS 3.1 base score: 5.1
- CVSS 3.1 vector: AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Remediation
The CyRC reached out to the developers multiple times but has not received a response within the 90 day timeline dictated by our responsible disclosure policy. These three applications are widely used but they are neither maintained nor supported, and evidently, security was not a factor when these applications were developed. The CyRC recommends removing the applications immediately.
Discovery credit
These vulnerabilities were discovered by Mohammed Alshehri, a security researcher at Synopsys.
Timeline
- August 13, 2022: Initial disclosure
- August 18, 2022: Follow-up communication
- October 12, 2022: Final follow-up communication
- November 30, 2022: Advisory published by Synopsys
About CVSS
FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.
Stay on top of the latest in application security
*** This is a Security Bloggers Network syndicated blog from Application Security Blog authored by Mohammed Alshehri. Read the original post at: https://www.synopsys.com/blogs/software-security/cyrc-advisory-remote-code-execution-vulnerabilities-mouse-keyboard-apps/
