CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482, CVE-2022-45483 are remote code execution vulnerabilities in three popular mouse and keyboard apps.
The Synopsys Cybersecurity Research Center (CyRC) has exposed multiple vulnerabilities in three applications that enable an Android device to be used as a remote keyboard and mouse for their computers.
Lazy Mouse, Telepad, and PC Keyboard are keyboard and mouse applications that connect to a server on a desktop or laptop computer and transmit mouse and keyboard events to the server. The free and paid versions of these three apps have a combined total of more than two million downloads from Google Play.
CyRC research uncovered weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in the three apps. An exploit of the authentication and authorization vulnerabilities could allow remote unauthenticated attackers to execute arbitrary commands. Similarly, an exploit of the insecure communication vulnerability exposes the user’s keystrokes, including sensitive information such as usernames and passwords.
Mouse and keyboard applications use a variety of network protocols to exchange mouse and keystroke instructions. Although the vulnerabilities are all related to the authentication, authorization, and transmission implementations, each application’s failure mechanism is different. The CyRC found vulnerabilities that enable authentication bypasses and remote code execution in the three applications, but did not find a single method of exploitation that applies to all three.
Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.
Telepad allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext.
PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.
PC Keyboard allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext.
The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication.
The Lazy Mouse server enforces weak password requirements and doesn’t implement rate limiting, allowing remote unauthenticated users to easily and quickly brute force the PIN and execute arbitrary commands.
Lazy Mouse allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext.
The CyRC reached out to the developers multiple times but has not received a response within the 90 day timeline dictated by our responsible disclosure policy. These three applications are widely used but they are neither maintained nor supported, and evidently, security was not a factor when these applications were developed. The CyRC recommends removing the applications immediately.
These vulnerabilities were discovered by Mohammed Alshehri, a security researcher at Synopsys.
FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.
Mohammed Alshehri is a security consultant for Synopsys and the author of www.shellcode.blog. His professional interests are in both the defensive and offensive sides of security. He enjoys discovering software vulnerabilities, automation, homelabbing, and hacking infrastructures. Mohammed currently holds the Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), Offensive Security Web Expert (OSWE), and other security certifications.