The mobile application called WiFi Mouse, which allows users to control mouse movements on a PC or Mac with a smartphone or tablet, has an unpatched bug allowing adversaries to hijack desktop computers, according to researcher Christopher Le Roux who found the flaw.
Impacted is the Android app’s accompanying WiFi Mouse “server software” that is needed to be installed on a Windows system and allows the mobile app to control a desktop’s mouse movements. The flaw allows an adversary, sharing the same Wi-Fi network, to gain full access to the Windows PC via a communications port opened by the software.
WiFi Mouse, published by Necta, is available on Google Play and via Apple’s App Store marketplace under the publisher name Shimeng Wang. The only version tested by Le Roux was the Windows 126.96.36.199 version of WiFi Mouse software running on Windows (Enterprise Build 17763) system.
Despite multiple attempts to contact the app developer Necta, the company has not responded to either the researcher’s inquiries or Threatpost’s request for comment. Unclear is whether other versions of the WiFi Mouse desktop software, compatible with Mac, Debian and RPM, are also impacted.
Bug’s Impact: Limited to Desktops
According to Le Roux’s research, the unpatched bug does not impact the Android mobile phone’s running the WiFi Mouse application. According to the developer’s Google Play marketplace description of WiFi Mouse, the application has been downloaded over 100,000 times.
The vulnerability, according to the developer, is tied to poor password and PIN security required by the Windows desktop application.
“The password/PIN option in the Windows Desktop app does not prevent remote control of a target running the software,” Le Roux told Threatpost. “I believe this may be an oversight on the part of the developer.”
The researcher said the application doesn’t properly prompt mobile app users to enter a password or a PIN number in order to pair an Android mobile device running WiFi Mouse with the accompanying WiFi Mouse desktop server software. That lack of authentication opens the door to a potential rogue user to exploit the open data port used by WiFi Mouse, Le Roux said.
Open Port: Open Season for Attacks
“The WiFi Mouse mobile app scans for and connects to hosts with TCP port 1978 open. Upon connecting the desktop server responds with OS information and the handshake is complete,” he wrote. “From within the mobile app you have a mouse touchpad option as well as a file explorer. The file explorer allows a user to ‘open’ any file on the System. This includes executable files such as cmd.exe or powershell.exe, which will open each command terminal respectively.”
Le Roux noted that this type of “unfettered access to a targeted system makes it as easy as sending ASCII characters as HEX with some padding on either side followed by a packet for the enter key.”
“This process is quick and easy to program especially because there is no encryption between the server and app,” he wrote in an email-based interview with Threatpost.
Needed Ingredients For an Attack
An adversary needs only the WiFi Mouse server software running on a targeted PC to exploit it – no mobile app needed. “Adversaries gain full remote command execution,” he said.
“Sadly the app can be easily mimicked even if it is not installed or on the network. The WiFi Mouse desktop server will accept any connection so long as it is running on an endpoint and the firewall isn’t blocking it’s listening port 1978,” Le Roux told Threatpost.
From there, an adversary can run a simple command on the targeted Windows system to download any executable program from an HTTP server and run it to get a remote shell on a target’s PC.
“This could be turned into an encoded power shell command or invoke-expression call to drop malware or load a fileless processes,” he said. “Your limitations are those of the signed in user’s permissions and power shell.”
While the researcher said his tests were limited to PCs running Windows, he suspects – but cannot confirm – this issue may also impact other platforms.
“I have yet to do any testing on macOS. My testing on Debian Linux (Kali) shows that the file explorer option does not function appropriately. This does not eliminate the potential for ‘replaying’ mouse movement data and sending left click and enter key commands to substitute for lack of file explorer however,” he wrote.
“An attacker could still feasibly exploit a Unix based system with minimal effort,” he wrote.