New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wifi mouse auth bypass to rce - CVE-2022-3218 #16985
Conversation
|
Hi @h00die , I made two attempts to get in contact with the developer through their email on their site. Despite my efforts to inform them of the password pin bypass they did not respond. It may be worthy of a CVE however I never did raise it to any CVE body. Awesome job on the well designed msf module. Let me know if you need anything else. |
|
@H4rk3nz0 do you have dates for when you reached out, and to what email (or a timeline in general you can share)? Just for making sure we have all the ducks in a line for the CVE |
|
@h00die I reached out on the 25th of Feb 2021 to developer email (wangshimeng@gmail.com). The same day as I discovered the flaw. |
|
Hi @h00die thanks for the alert. I've reserved CVE-2022-3218 for this. Salient details: Product name: WiFi Mouse (Mouse Server) Description: Due to a reliance on client-side authentication, the WiFi Mouse (Mouse Server) from Necta LLC’s authentication mechanism is trivially bypassed, which can result in remote code execution. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed documentation, review on module code to come next.
|
I see the layer 8 issue has arisen. |
|
updated the docs w/ some of your changes, and a bunch of the review comments. Things should be clearer now for the starger/target stuff |
|
Tested and working like a charm. Pushing up final minor edits for documentation purposes and then this will be good to land. |
Release NotesA new module has been added for CVE-2022-3218, an unpatched (at the time of publication) authentication bypass in WiFi Mouse (Mouse Server) from Necta LLC which can be used to gain RCE as the user running Wifi Mouse (Mouse Server). |
This PR adds a new module to exploit an auth bypass to rce in 'wifi mouse'.
@H4rk3nz0 looks like you were the original author (and your twitter is gone), did you ever reach out to the company to responsibly disclose?
This is a neat exploit as you connect to the server, ask it to open cmd, then type out what you want on the user's screen. its fun to watch shell code :).
There is 1 target: stager which has 2 cmdstagers:
psh_invokewebrequest(default) this one types the command and pulls back the payload nice and fast. You should use it in almost all circumstancescertutilit appearing on the user's screen, its unreliable (needs ~3.5min of solitude). If the user types anything or moves the focus to another window, exploit will fail.Verification
msfconsoleuse exploit/windows/misc/wifi_mouse_rcerhostandlhostas required.run