The Black Duck Cybersecurity Research Center (CyRC) has exposed multiple vulnerabilities in three applications that enable an Android device to be used as a remote keyboard and mouse for their computers.
Lazy Mouse, Telepad, and PC Keyboard are keyboard and mouse applications that connect to a server on a desktop or laptop computer and transmit mouse and keyboard events to the server. The free and paid versions of these three apps have a combined total of more than two million downloads from Google Play.
CyRC research uncovered weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in the three apps. An exploit of the authentication and authorization vulnerabilities could allow remote unauthenticated attackers to execute arbitrary commands. Similarly, an exploit of the insecure communication vulnerability exposes the user’s keystrokes, including sensitive information such as usernames and passwords.
Mouse and keyboard applications use a variety of network protocols to exchange mouse and keystroke instructions. Although the vulnerabilities are all related to the authentication, authorization, and transmission implementations, each application’s failure mechanism is different. The CyRC found vulnerabilities that enable authentication bypasses and remote code execution in the three applications, but did not find a single method of exploitation that applies to all three.
CVE-2022-45477
Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.
CVE-2022-45478
Telepad allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext.
CVE-2022-45479
PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.
CVE-2022-45480
PC Keyboard allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext.
CVE-2022-45481
The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication.
CVE-2022-45482
The Lazy Mouse server enforces weak password requirements and doesn’t implement rate limiting, allowing remote unauthenticated users to easily and quickly brute force the PIN and execute arbitrary commands.
CVE-2022-45483
Lazy Mouse allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext.
The CyRC reached out to the developers multiple times but has not received a response within the 90 day timeline dictated by our responsible disclosure policy. These three applications are widely used but they are neither maintained nor supported, and evidently, security was not a factor when these applications were developed. The CyRC recommends removing the applications immediately.
These vulnerabilities were discovered by Mohammed Alshehri, a security researcher at Black Duck.
FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.